Thursday, December 30, 2010

How to Block the New Fast Flux Botnet

The folks at Shadowserver have reported on a new spam campaign that, at first looked like the holiday e-card scams that have been around for many years.  After closer inspection of the details, it appears that it could be the next generation of Storm Worm or Waledac.

Below you'll find a list of subjects in the spam campaign reported by Stephen Adair in New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0?.  The e-mails are coming from all over the Internet with spoofed sender addresses.
Greeting for you!
 Greeting you with heartiest New Year wishes
 Greetings to You
 Happy New Year greetings e-card is waiting for you
 Happy New Year greetings for you
 Happy New Year greetings from your friend
 Have a happy and colorful New Year!
 l want to share Greeting with you (Shadowserver note: the first letter is an L)
 New Year 2011 greetings for you
 You have a greeting card
 You have a New Year Greeting!
 You have received a greetings card
 You've got a Happy New Year Greeting Card!
The email contains a link to a compromised website.  Clicking the link results in a redirect to one of the new malicious domains being used by the botnet.  As explained in the report, "these are fast flux domains that will frequently return a new IP address each time they are resolved."


From New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0?, the currently known domains hosting the botnet, whose purpose is to install malware, are listed below with the appropriate entry to add to your HOSTS file if you wish to block the domains.

If you use WinPatrol, it is easy to edit the HOSTS File, regardless of whether you are running Windows XP, Windows Vista or Windows 7,

  • Right-click on Scotty in the system tray to launch WinPatrol, selecting "Options".
  • Windows Vista and Windows 7 Users: Accept any UAC Prompts
  • Click "View HOSTS file", which will launch in Notepad
  • In Notepad copy/paste the following entries:

    127.0.0.1  bethira.com

    127.0.0.1  bitagede.com
    127.0.0.1  cifici.com
    127.0.0.1  darlev.com
    127.0.0.1  elberer.com
    127.0.0.1  envoyee.com
    127.0.0.1  leolati.com
    127.0.0.1  makonicu.com
    127.0.0.1  nurealla.com
    127.0.0.1  scypap.com
    127.0.0.1  suedev.com
    127.0.0.1  teddamp.com
    127.0.0.1  eplarine.com

  • Click File > Save
  • Close Notepad
  • Close WinPatrol


If you do not use WinPatrol (you should!), you can manually edit the HOSTS file.  It just takes a bit more effort.

With default Windows installations, the HOSTS file is located at C:\Windows\System32\drivers\etc.  If you use Windows 7, it is necessary to first click on Start, type in Notepad and then right-click on Notepad and choose Run as Administrator.  Then, for all systems (Windows XP, Windows Vista and Windows 7), right-click hosts and select to open with Notepad. 


This is an example of what you will see when Notepad launches the HOSTS File:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#    127.0.0.1       localhost
#    ::1             localhost

After the last line in the HOSTS file, paste the entries below
127.0.0.1  bethira.com
127.0.0.1  bitagede.com
127.0.0.1  cifici.com
127.0.0.1  darlev.com
127.0.0.1  elberer.com
127.0.0.1  envoyee.com
127.0.0.1  leolati.com
127.0.0.1  makonicu.com
127.0.0.1  nurealla.com
127.0.0.1  scypap.com
127.0.0.1  suedev.com
127.0.0.1  teddamp.com
127.0.0.1  eplarine.com

Save and close Notepad. 

Your HOSTS file has been updated and those malware domains have been blocked.

Clubhouse Tags: Clubhouse, Security, Privacy, How-To, Information, Tutorial, Family Safety, Windows Vista, Windows 7, Windows XP,


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Monday, December 27, 2010

Facebook Privacy Warning

A notice is showing up for Facebook users to update security settings for "Account Protection".  The options are provided to make it easier to log back in to Facebook in the event there is a problem with your account.  The first provided option is to provide a secondary e-mail address.  The second option includes providing your Mobile number to achieve "High" account control. 

Unfortunately, caution is needed in both instances to prevent forfeiting privacy.  Added alternate e-mail address(es) have a default setting of "Friends Only".  If you elect to add your mobile number, there is a pre-checked option to add the number to your Facebook profile.  Instructions for customizing the information shared is in the "Privacy Settings" section below.

Information on the notice, steps to add the information and recommendations are provided below.

Notice



The "Account Protection" notice appears in the right column.  The status changes from Low to Medium after adding an alternate e-mail address. 







Step 1

Multiple alternate e-mail addresses can be added.  

Each added address will receive a "Facebook Contact Email Confirmation" with a link to confirm the alternate address.


WARNING:  If you restrict access or do not share your e-mail address with others in Facebook or have customized settings, it is necessary to update the settings for any added e-mail address(es).  See the instructions below under "Privacy Settings"
 
After confirming any added alternate e-mail addresses, clicking the question mark (?) on the update screen explains how you can achieve "High" security:



Step 2

When you select the option under Mobile Phone to "Sign up for Facebook mobile" and reach "High" Account Control, the instructions are to select country and mobile carrier and then enter the code received after sending a text message to FBOOK from the mobile number.

Unfortunately, this is where caution is needed.  The option to add the phone number to your Facebook profile is pre-checked:

 WARNING: "Add this phone number to my profile" is pre-checked.

If you do not have your that information blocked in your profile, unless the option is unchecked, depending on your privacy settings, you will be providing your mobile number to anyone who has access to your profile information. 

Personally, considering the frequent manner in which Facebook changes settings, I prefer not to include that information in Facebook.  However, in the event you elect to include your mobile number, you can control who has access to that and other personal information.

Privacy Settings


To edit your Privacy Settings, select Account > Privacy Settings. 



In the "Choose Your Privacy Settings" window that opens, select Customize settings.  From there you can change the options as to who has access to your contact information.  The options include Everyone, Friends of Friends, Friends and Customize (edit).  




Although I have not provided my Mobile phone, I kept the "Only Me" setting.  If you opt to customize that setting, you can make selected information visible to specific people on your friends list by individually adding their name(s).  Information can also be hidden from specific individuals by adding the name(s) in the bottom section:



If you have not seen the "Account Protection" notice and wish to go ahead and add a backup e-mail address and/or mobile number, the steps are available at http://www.facebook.com/update_security_info.php.  Just be careful that you are not sharing more information than you want available.


Clubhouse Tags: Clubhouse, Security, Privacy, How-To, Information, Tutorial, Family Safety,



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Friday, December 24, 2010

Ukrainian Christmas Eve

Merry Christmas to all my family, friends and Security Garden readers.

I extend warmest wishes to each of you and your family. May you enjoy the spirit of Christmas every day of the coming year.

Our family celebrates Christmas Eve in the Ukrainian tradition.  The video below includes examples of some of the traditional foods that are part of the Christmas Eve celebration. 





References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, December 22, 2010

Microsoft Security Advisory 2488013


Microsoft released Security Advisory 2488013 to address a public vulnerability in Internet Explorer 6, 7 or 8 if you visit a website hosting malicious code.  Microsoft reported that the current impact of this vulnerability is limited and they are not aware of any active attacks.

Microsoft is closely monitoring the situation but, due to the current limited impact, has determined there is not a need for an out-of-band release.  Should that change, an update will be provided on the MSRC Blog.


Internet Explorer Protected Mode on Windows Vista and Windows 7 helps limit the impact of the currently known proof-of-concept exploits. Protected Mode is on by default in the Internet and Restricted sites zones in Internet Explorer 7 and 8.  Protected Mode will warn you when a website attempts to install software, run or modify sensitive system components.  If you are not familiar with Protected Mode, you can learn more about it here:  What does Internet Explorer protected mode do?



References:
Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Advisory, Vulnerabilities, Information, Internet Explorer,



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, December 16, 2010

Microsoft Security Essentials 2.0 Released

Along with release to manufacturing of Forefront Endpoint Protection 2010 (FEP) for business users, Microsoft Security Essentials (MSE) 2.0 has been released.  The updated version of MSE includes the following enhancements:

  • Windows Firewall integration – During setup, Microsoft Security Essentials will now ask if you would like to turn the Windows Firewall on or off.
  • Enhanced protection for web-based threats – Microsoft Security Essentials now integrates with Internet Explorer to provide protection against web-based threats.
  • New protection engine – The updated anti-malware engine offers enhanced detection and cleanup capabilities with better performance.
  • Network inspection system* – Protection against network-based exploits is now built in to Microsoft Security Essentials.

*Windows XP Users Note:   As explained when the MSE Beta was announced, the network inspection system feature is not enabled on Windows XP. The network inspection system requires the Windows Filtering Platform (WFP) in order to run.  WFP is only available in Windows Vista and Windows 7.

How to get MSE 2.0:

Microsoft Security Essentials 2.0 can be downloaded from the Microsoft Download Center.  
Tips
  1. Select the correct version:  MSE has both a 32 and 64-bit version.  (To determine If your computer is running a 32-bit or 64-bit version of Windows, click the Start button > Control Panel > System and Security > System.  The system type is shown under System.)  
  2. If you have a different antivirus software program already installed, it will be necessary to uninstall it before installing MSE. You may want to use AppRemover to remove the left-overs not removed during the normal uninstall process of the antivirus program.
  3. It is highly advised to install all Microsoft Security Updates prior to installing MSE.
  4. Do NOT install MSE on an already infected system.  If you need assistance removing malware from your computer, seek help from a by trained analyst.  A a fairly comprehensive list is available here:  Malware Removal Help Sites.
  5. The Installation process is essentially the same as for the original release, described in this tutorial
If you are already running MSE on your computer, it is easy to update to the new version.  You should see the following when launching MSE:
Click on the Upgrade link to install and then restart the computer to complete the process.  Version detail information is available in "About Security Essentials" located in the drop-down option in Help. 

Edit Addition:  I have seen a lot of questions about the MSE software update in the forums.  To check manually for the software update, click the triangle next to Help and select "Check for software updates" as illustrated below:


Note the addition of the Network Inspection System Engine:
Security Essentials Version: 2.0.650.0
Antimalware Client Version: 3.0.8107.0
Engine Version: 1.1.6402.0
Antivirus definition: 1.95.1960.0
Antispyware definition: 1.95.1960.0
Network Inspection System Engine Version: 2.0.5854.0
Network Inspection System Definition Version: 9.1.0.0
Edit Note:  Fellow MVP, Alan Burchill, published a new post for Group Policy for MSE Version 2 to support its new features:  Group Policy for Microsoft Security Essentials 2.0



Clubhouse Tags: Clubhouse, familyHow-to, antivirus, Microsoft, Windows, Security, UpdatesInformation,






Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, December 14, 2010

Security Bulletin Release for December, 2010


Microsoft released seventeen (17) bulletins addressing forty (40) vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint Server and Exchange. Two (2) of those bulletins carry a Critical rating, while fourteen (14) are rated Important and one is rated Moderate.

A complete description of all the bulletins is available in the TechNet Bulletin Summary linked below.  The bulletin that closes out the last known vulnerability exploited by the Stuxnet malware is MS10-092.

Following is the description from the MSRC Blog of the two critical bulletins:
  • MS10-090 This bulletin resolves seven issues -- five Critical, two Moderate -- affecting all supported versions of Internet Explorer, on both Windows clients and Windows servers. Among its other updates, it addresses a vulnerability previously described in Security Advisory 2458511.
  • MS10-091 This bulletin is Critical and addresses three vulnerabilities in Windows' OpenType Font driver. All three issues were privately reported and we are not aware of any active attacks using them.

Microsoft also released an updated Malicious Software Removal Tool this month.

For complete details, see the references listed below.


References:

Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information,



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, December 09, 2010

Mozilla Firefox 3.6.13 Security and Stability Update



Mozilla Firefox 3.6.13 has been released to fix stability issues and address the following security vulnerabilities:
  • MFSA 2010-84 XSS hazard in multiple character encodings
  • MFSA 2010-83 Location bar SSL spoofing using network error page
  • MFSA 2010-82 Incomplete fix for CVE-2010-0179
  • MFSA 2010-81 Integer overflow vulnerability in NewIdArray
  • MFSA 2010-80 Use-after-free error with nsDOMAttribute MutationObserver
  • MFSA 2010-79 Java security bypass from LiveConnect loaded via data: URL meta refresh
  • MFSA 2010-78 Add support for OTS font sanitizer
  • MFSA 2010-77 Crash and remote code execution using HTML tags inside a XUL tree
  • MFSA 2010-76 Chrome privilege escalation with window.open and element
  • MFSA 2010-75 Buffer overflow while line breaking after document.write with long string
  • MFSA 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)

To manually check for the update, click Help and Check for Updates.


References:


Clubhouse Tags: Clubhouse, Security, Updates, Information









Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
iv>

Security Bulletin Advance Notification for December, 2010


On Tuesday, December 14, 2010, Microsoft is planning to release 17 updates addressing 40 vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint and Exchange. Two bulletins are rated Critical, 14 are rated Important, and one is rated Moderate.  


The updates will address the last Stuxnet-related issues.  This is a local Elevation of Privilege vulnerability.  Aside from Stuxnet, Microsoft has not seen evidence of its use in active exploits. Microsoft is also addressing the Internet Explorer vulnerability described in Security Advisory 2458511.

In reviewing the Advance Notice, note that six of the bulletins are not applicable to Windows 7. The bulletins for Microsoft Office Suites and Software apply to all versions from Microsoft Office XP Service Pack 3 through Office 2010, 64-bit.

References:


Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information, Microsoft Office,




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, December 08, 2010

Oracle SunJava Update

java

Oracle SunJava released an update to Java Runtime Environment (JRK).  The full internal version number for this update release is 1.6.0_23-b05 (where "b" means "build"). The external version number is 6u23.

This is not a security update.  The next security update is scheduled for 18 January 2011.  Rather, the update contains enhancements, described as follows:


  • Improved performance and stability
  • Enhanced support for right-to-left languages

Although Java is not required (See Do You Need Java?), if you do have Java installed on your computer, it is advisable to install the latest update. 

Download Update: Java SE Runtime Environment 6u23


Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

Please check add/remove programs to ensure that you have uninstalled all prior (and vulnerable) versions of SunJava.

References:



Clubhouse Tags: Clubhouse, Updates, Java





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, December 02, 2010

AVG Update Disaster Impacts Windows Users

Windows customers of AVG Antivirus ran into a problem with virus database 271.1.1/3292 (432/3292) released 12:53 AM CET.  When following through with the requested computer restart, instead of Windows loading, they received the error:
"STOP: c0000135 The program can't start because %hs is missing from your computer. Try reinstalling the program to fix this problem."
Although the update was removed from the servers as soon as they were aware of the problem, there were many impacted by this issue.  From reports on the AVG forum, it appears as though 64-bit systems were impacted by this issue.  Reports differ as to whether this issue was restricted to Windows 7 or if it also included Windows Vista customers.

AVG has provided suggested steps in the forum thread at Some Windows 7 Operating Systems Cannot Be Started After Latest Update, followed by an FAQ topic: System crash after the recent AVG 2011 update 3292 (BSOD).  

One AVE user reported the method at "Alternate Method" as successful with a failed repair disk.

If you are looking for a replacement antivirus solution, the following are free for personal use.
My favorite paid/licensed solution is ESET antivirus products.

Clubhouse Tags: Clubhouse, Windows, Security, AntiVirus, Information, MSE, Microsoft Security Essentials, Information, Windows Vista, Windows 7,


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...