Sunday, February 28, 2010

Celebrating Freedomlist!

Websites come and go. Forums either outlive their usefulness or evolve with the times. Ten years ago, Freedomlist was born as -- well -- as a list of free Internet Service Providers (ISPs). In fact, at that time it was the heyday of free ISPs providing Internet access.

As time passed, Freedomlist evolved from providing help and information on Free ISPs to include $10 & Under Cheap ISP's, then Broadband and, along the way, added Help, Tips & Tricks, PC Protection, and more.

As with any Website, the same may be said about the community. New members come and go. However, throughout the evolution at Freedomlist, many of the same original members, including myself, continue calling Freedomlist "home".

Although I have since branched out to provide help at other sites, it was at Freedomlist where I first learned the ropes for securing my computer, where I learned about software firewalls, antivirus and anti-spyware programs and the importance of keeping security updates up-to-date. So it is with great pride that I announce the 10th Anniversary Celebration of Freedomlist.


Please join me in expressing heartfelt appreciation to the following security software vendors who generously donated licenses to be awarded as contest prizes during the celebration.



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, February 25, 2010

Waledac Botnet Takedown

The Waledac botnet had the capability of sending 1.5 billion spam e-mails per day. During a three-week period in December, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone. Waledac also has the ability to download and execute arbitrary files, harvest email addresses from the local machine, perform denial of service attacks (DDoS), steal passwords, and more. Hundreds of thousands of computers have been infected with Win32/Waldac.

What is a botnet? As described by Microsoft Associate General Counsel, Tim Cranton:
"Botnets - networks of compromised computers controlled by hackers known as “bot-herders” - have become a serious problem in cyberspace. Their proliferation has led some to worry that the botnet problem is unsolvable. Under the control of a hacker or group of hackers, botnets are often used to conduct various attacks ranging from denial of service attacks on websites, to spamming, click fraud, and distribution of new forms of malicious software."
With support from the Microsoft Malware Protection Center (MMPC), the Microsoft Digital Crimes Unit used both legal and technical steps to effectively caused the shutdown of the Waledac botnet. The legal result was a federal judge granted a temporary restraining order which cut off 277 Internet domains believed to be run by those known as the Waledac botnet.

The result of the restraining order was described by Tim Cranton as follows:
"This action has quickly and effectively cut off traffic to Waledac at the “.com” or domain registry level, severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world. Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet, and we will continue to work with the security community to mitigate and respond to this botnet."
Although the connections to the infected computers has effectively been shut down, that effort has not cleaned the infected computers and they are still infected with the original malware. Below is a copy of map of Waledac infections around the world in a recent 18 day period.


To help make sure your computer is not one of those dots on the map, run Microsoft’s Malicious Software Removal Tool which removes the malware.

Efforts by others involved in the campaign are described by PCWorld in Microsoft Recruited Top Notch Guns for Waledac Takedown.

References:

Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Vulnerabilities, Information



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, February 24, 2010

How-to: Reduce Vulnerability to Drive-by Downloads

Is your computer more vulnerable to drive-by downloads than it needs to be? The type of drive-by download I am referring to is malware that is installed from a Web site without any user intervention through the exploitation of a vulnerable software installed on the computer. That is right. Your computer can be infected merely by landing on a Web page performing drive-by downloads.

In Stopping Stealthy Downloads, Brian Krebs provided statistics from Dasient indicating that "in the fourth quarter of 2009, roughly 5.5 million Web pages contained software designed to foist unwanted installs on visitors". Although, as explained by Brian, there is a government-funded research group that is preparing to release a new free tool designed to block drive-by downloads, what can you do until "BLADE" (Block All Drive-By Download Exploits) is available?

I hope Security Garden readers will recognize what they can do to help reduce their vulnerability to drive-by downloads after reviewing the statistics provided in the graphs by BLADE’s evaluation lab.

The first graph illustrates the browser infection rate per drive-by exploit. We can see at a glance that IE6 is far more susceptible to drive-by downloads than other browsers. The surprise, however, and one I was not expecting, is the high numbers for IE7 compared to Firefox 3 and IE8.



Now, dear readers, here is the big surprise. The BLADE lab provided information on the vulnerable applications most targeted in drive-by attacks. Surprise: Adobe and Oracle SunJava far exceed the figures of Internet Explorer.




The lesson from this information is obvious and one members of the security community have been harping at for a long time: Microsoft security updates are only one piece of the puzzle. It is also critical that other software be kept up to date. To reduce the vulnerability to drive-by downloads, use an up-to-date browser and ensure that other vendor software is also up-to-date.

Update/Upgrade your browser:
Adobe Products:

If you use Adobe products, be certain you have the most recent versions. Go to http://www.adobe.com/ to get the latest versions. Also, if you downloaded either Adobe Reader or Adobe Flash Player for Windows prior to the release of Adobe Security Bulletin APSB10-08, released February 23, 2010, see the instructions here.

Oracle SunJava:

With Java, it is extremely important to check that old, vulnerable installations are no longer resident on your computer. Go to Add or Remove programs and uninstall any item listing J2SE or Java Runtime Environment in the name. Unfortunately, not every version of Java will begin with "Java" so be sure to read each entry in the list. Other versions may begin with JDK, JRE or SDK.

The latest version of Java SE is available from here. Select the JRE version and pay attention when installing the update, unchecking any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.



References
:

Graphs from BLADE Malicious URL Analysis




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Download Manager Security Update

AdobeIcon Yes, there is a 0-day vulnerability with the Adobe Download Manager! The vulnerability, identified as CVE-2010-0189, could potentially allow an attacker to download and install unauthorized software on your computer.

Your computer is vulnerable if you downloaded either Adobe Reader or Adobe Flash Player for Windows prior to the release of Adobe Security Bulletin APSB10-08, released February 23, 2010.

To determine whether your computer is susceptible to this vulnerability, check Program Files for the C:\Program Files\NOS\ folder. If found, go to Add or Remove Programs and select "Adobe Download Manager" for removal.

References:

Adobe Security Bulletin APSB10-08
Aviv Raff: May The Force Be With You


Clubhouse Tags: Clubhouse, Security, Updates, Vulnerabilities, Adobe



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Saturday, February 20, 2010

To Bruno Knaapen: God Speed


While words escape me, my thoughts today are with family and friends of Bruno Knaapen.

Bruno leaves behind a public legacy at Scot's Newsletter Forums in Bruno's All Things Linux, at his own Tips for Linux Explorers and the newly dedicated Bruno Knaapen Technology Learning Center.

God speed your spirit to the eternal light, dear Bruno. You will not be forgotten.







Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, February 18, 2010

Alureon/TDSS Rootkit and Restart Issues After Installing MS10-015

In an update regarding the restart issues after Security Bulletin MS10-015 (KB977165) is installed, Microsoft reported that the reboot occurs because the system is infected with malware, specifically what Microsoft refers to as the Alureon rootkit. The Alureon rootkit is more commonly known in the security community as the TDSS/Tidserv rootkit.

Although instructions are available for using the Recovery Console to uninstall KB977165, that method does not remove the rootkit, leaving the system severely compromised. To illustrate the type of control over the computer the rootkit has, as reported by Marco Giuliani in the Prevx Blog, the TDSS/Tidserv rootkit authors have already pushed an update taking care of the MS10-015 BSOD (blue screen of death):
"All TDL3 droppers have been server-side rebuilt every day during November, December, January and February. This allowed the authors to break weak signatures or badly written generic detection routines. Actually this was the only effective obstacle, otherwise only really few specific anti-rootkits are able to detect the infection when active.

Even the rootkit itself has been updated and armored, to defense itself against the attack of a number of anti-rootkit specific tools. It's funny following the full story of the rootkit, because it looks like a nice chess game between security vendors and malware authors. It's one of the few times you can see a team of rootkit writers counteracting almost in real time to security vendors.

We already knew the rootkit is able to infect a system driver and to filter every disk I/O request by applying a strong filtering mechanism. Now the rootkit added a watchdog thread able to prevent any change to the service registry key related to the infected driver.By doing so, it is able to block some basic cleanup tools.

Another self defense feature added to the rootkit is that no one is anymore able to get a handle to the infected driver file. By doing so, the rootkit is preventing some cleanup tools to read the content of the file. Prior versions of the rootkit allowed to read the infected file, though they were showing the clean copy of it. This trick was used by some security tools to recover the original clean copy of the file to restore."

If you have encountered this reboot issue after installing MS10-015, it is highly recommended that the you back up important files and completely restore the system from a cleanly formatted disk. For assistance, see these Microsoft Help & How-to articles:
To determine if your computer is infected, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, the Windows Live OneCare safety scanner or ESET Online Scanner.

In the event you are unable to locate the Windows XP CD or DVD and do not have the recovery console installed, free assistance is available form Microsoft by calling 1-866-PCSafety (1-866-727-2338) or from https://consumersecuritysupport.microsoft.com. International customers can find local support contact numbers here: http://support.microsoft.com/common/international.aspx.

Although with a rootkit re-installing the operating system is the recommended safe method for recovery, an alternative option if you have lost the installation media is the Kaspersky TDSS Killer tool.

References:

Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Friday, February 12, 2010

Adobe Flash Player and Adobe Air Security Updates

AdobeIcon Adobe released updates to both Adobe Flash Player and Adobe AIR to correct a critical vulnerability in both products.

From the Adobe Security Bulletin:

"Adobe Flash Player
Adobe recommends all users of Adobe Flash Player 10.0.42.34 and earlier versions upgrade to the newest version 10.0.45.2 by downloading it from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted.

Adobe AIR
Adobe recommends all users of Adobe AIR version 1.5.3.9120 and earlier update to the newest version 1.5.3.9130 by downloading it from the Adobe AIR Download Center."

It is necessary to obtain the correct Adobe Flash Player for your browser. Do not confuse it with shockwave which is a different program. The direct download links are as follows:

Firefox, Safari, Opera: http://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player.exe

Internet Explorer: http://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player_ax.exe

The uninstaller for old versions of Adobe Flash Player is available from http://kb2.adobe.com/cps/141/tn_14157.html


Note:
Please remember to uncheck any unwanted 3rd party toolbars/programs during installation IF they are offered to you.
Adobe Flash version check: http://www.adobe.com/products/flash/about/


Clubhouse Tags: Clubhouse, Security, Updates, Vulnerabilities, Adobe


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Update - Restart Issues After Installing MS10-015

Update at the MSRC Blog by Jerry Bryant, Sr. Security Communications Manager Lead, Update - Restart Issues After Installing MS10-015:
"In our continuing investigation in to the restart issues related to MS10-015 that a limited number of customers are experiencing, we have determined that malware on the system can cause the behavior. We are not yet ruling out other potential causes at this time and are still investigating. Please review our blog post from yesterday for additional information.

One of the key components when investigating issues like this are obtaining memory dumps from computers experiencing the problem. In order to get the information we need to fully analyze the issue, some of our support engineers have actually driven to customer locations and picked up affected systems so we can get the needed crash data directly and help inform our investigation. For more information about memory dumps, please see: http://support.microsoft.com/kb/254649.

We encourage customers to follow our “Protect Your PC” best practices and always have up to date anti-virus software running on their systems to help prevent malware infections. For customers who do not have anti-virus software, you can either scan your system using our online tool at http://safety.live.com or you can install Microsoft Security Essentials for free.

This can be a difficult issue to solve once a computer is in an un-bootable state so we encourage customers who feel they have been impacted by this to contact our Customer Service and Support group by either going to https://consumersecuritysupport.microsoft.com or by calling 1-866-PCSafety (1-866-727-2338). International customers can find local support contact numbers here: http://support.microsoft.com/common/international.aspx."
Please note not all instances of this problem have not necessarily been caused by malware. However, in preparation for installing updates, please be sure to do a complete system scan with your antivirus software, followed be a restart and scan with your anti-malware program.

Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, February 11, 2010

Windows XP Restart Issues After Installing MS10-015

Microsoft is aware that after installing the February security updates a limited number of users are experiencing issues restarting their computers. From reports, it has appears that this issue occurs after installing MS10-015 (KB977165). It may or may not be specific to a particular brand of PC or third party software. While Microsoft works on this problem, the update has been removed from Windows Update. Additional details are available at the MSRC Blog in Restart issues after installing MS10-015.

If you have not installed the February updates yet, you will not be offered MS10-015, however, it would be wise to check all updates if your Windows Update settings are to download and let you decide when to install. In order to protect your computer from the Elevation of Privilege vulnerability that MS10-015 addresses, there is a Microsoft Fix it that mitigates the vulnerability, available from
http://support.microsoft.com/kb/979682.

For anyone experiencing the BSOD after installing MS10-015, following are the instructions for removing the update, as provided by Kevin Hau, MSFT at Microsoft Answers:

1. Boot from your Windows XP CD or DVD and start the recovery console (see this Microsoft article for help with this step).

Once you are in the Repair Screen..

2. Type this command: CHDIR $NtUninstallKB977165$\spuninst

3. Type this command: BATCH spuninst.txt

4. When complete, type this command: exit

In the event you are unable to locate the Windows XP CD or DVD and do not have the recovery console installed, free assistance is available form Microsoft by calling 1-866-PCSafety (1-866-727-2338) or from https://consumersecuritysupport.microsoft.com. International customers can find local support contact numbers here: http://support.microsoft.com/common/international.aspx.


Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, February 09, 2010

Microsoft Security Advisory (977377)

Microsoft released Security Advisory (977377): Vulnerability in TLS/SSL Could Allow Spoofing today based on public reports of a vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. At this time, Microsoft is not aware of any attacks attempting to exploit the reported vulnerability.

The following affected software is identified in Security Advisory 977377:
  • Microsoft Windows 2000 Service Pack 4
  • Windows XP Service Pack 2 and Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
  • Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*
  • Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*
  • Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems*
  • Windows Server 2008 R2 for Itanium-based Systems
*Server Core installation affected. For more information on this installation option, see the MSDN articles, Server Core and Server Core for Windows Server 2008 R2. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.

Additional information is available in Microsoft Knowledge Base Article 977377.

Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Vulnerabilities, Information


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

February 2010 Security Bulletin Release


Microsoft released thirteen security bulletins addressing twenty-six vulnerabilities. Windows is affected by eleven of the bulletins and older versions of Office by the remaining two bulletins.

Of the bulletins, the following are rated as Critical: MS10-006, MS10-007, MS10-008, MS10-013, and MS10-015.

Additional information is available in the MSRC blog.

  • MS10-003: Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution (978214), Important
  • MS10-004: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (975416),
  • Important
  • MS10-005: Vulnerability in Microsoft Paint Could Allow Remote Code Execution (978706), Moderate
  • MS10-006: Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251), Critical
  • MS10-007: Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713),
  • Critical
  • MS10-008: Cumulative Security Update of ActiveX Kill Bits (978262), Critical
  • MS10-009: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145), Critical
  • MS10-010: Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service (977894),
  • Important
  • MS10-011: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (978037), Important
  • MS10-012: Vulnerabilities in SMB Server Could Allow Remote Code Execution (971468), Important
  • MS10-013: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935), Critical
  • MS10-014: Vulnerability in Kerberos Could Allow Denial of Service (977290), Important
  • MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165), Important

References:



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Friday, February 05, 2010

Windows 7 RC Expiration Approaches

Time does tend to catch up with us. In this case, time is catching up with the Windows 7 Release Candidate (RC). Notifications will start appearing on February 15, 2010, with warnings that the operating system will soon expire.

More importantly, starting on March 1, 2010, computers still using the RC will begin shutting down every two hours. Any work in progress will not be saved during the shutdown.

The Windows 7 RC will fully expire on June 1, 2010. Computers running the Windows 7 RC will continue shutting down every two hours with no files being saved during shutdown. In addition, the wallpaper will change to a solid black background with a persistent message on the desktop. This will be accompanied by periodic notifications that Windows isn’t genuine, resulting in the inability to obtain optional updates or downloads requiring genuine Windows validation.

There are several solutions:
  1. Reinstall a prior version of Windows
  2. Upgrade to Windows 7
  3. Install the Windows 7 Enterprise 90-day Trial
In solutions 1 and 2, it will be necessary to do a custom (clean) install to replace the RC. First back up your data then reinstall applications and restore the data. Help is available at Microsoft Windows Help & How-To: Install, reinstall, or uninstall Windows.

Solution 3 is available to IT Pros who need more time to test application and hardware compatibility in Windows 7.

References:
Clubhouse Tags: Clubhouse, Microsoft, Information, how-to, Windows 7


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, February 04, 2010

February 2010 Bulletin Release Advance Notification

On Tuesday, February 9, 2010, Microsoft will be releasing 13 bulletins - five rated Critical, seven rated Important, and one rated Moderate. The updates will address 26 vulnerabilities. Eleven of the bulletins affect Windows and the remaining two affect Office.

The summary table below from the MSRC Blog provides an indication of what to expect for your operating system:An updated version of the Microsoft Windows Malicious Software Removal Tool will also be available.


Version

Critical

Important

Moderate

Low

Total

Windows 2000

5

3

1

0

9

Windows XP

5

2

1

0

8

Windows Server 2003

4

3

2

0

9

Windows Vista

3

3

0

0

6

Windows Server 2008

3

4

0

1

8

Windows 7

3

2

0

0

5

Windows Server 2008 R2

3

1

0

1

5


There is also a timely reminder in the MSRC Blog post regarding the end of product life for three Windows systems. After the dates indicated, Microsoft will no longer provide security updates for those systems.

  • "Windows XP Service Pack 2 will no longer be supported as of July 13, 2010. Many customers are still on this version, so we encourage upgrading to Service Pack 3 or to Windows 7 as soon as possible.
  • Windows Vista RTM will no longer be supported as of April 13, 2010. Service Pack 1 will still be supported until July 12, 2011 but we recommend customers update to Service Pack 2 or Windows 7 at this time.
  • Extended support for Windows 2000 will also be retired on July 13, 2010. At that time, we will no longer provide security or any other updates for Windows 2000."

References:



Clubhouse Tags: Clubhouse, Security, Updates, Microsoft, Information


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Security Advisory 980088 Released

Microsoft released Security Advisory 980088 to address a publicly disclosed vulnerability in Internet Explorer that may allow Information Disclosure on Windows XP or systems where IE Protected Mode has been disabled. Microsoft is not aware of any attacks using the vulnerability at this time.

From the MSRC Blog:

"Customers running Internet Explorer 7 or Internet Explorer 8 in their default configuration on Windows Vista or later operating systems are not vulnerable to this issue as they benefit from Internet Explorer Protected Mode, which protects from this issue. Windows XP users, or users who have disabled Protected Mode, can help protect themselves by implementing Network Protocol Lockdown. We have created a Microsoft Fix It to automate this. The Fix It can be run on individual systems or enterprises can deploy it through their automated systems."

References:
Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Vulnerabilities, Information





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...