This was a big Windows Patch Tuesday. Microsoft released a total of five critical patches, addressing eight system vulnerabilities. The flaws patched today do not apply to the recently finished Windows 7. Symantec Security Response research manager, Ben Greenbaum, said the two most serious flaws involve the way Windows handles ASF and MP3 files.
"We've seen similar exploits in the past and all a user would have to do is visit a compromised Web site hosting one of these malicious files, which could be an MP3, WMA or WMV file, and they could become infected,” said Greenbaum.
Greenbaum also noted that Microsoft has left a zero-day vulnerability in Internet Information Services unpatched. Attacks based on the issue are already in the wild. Microsoft expects a patch for that to be pushed out next month.
One of the nastiest worms in recent history, the Conficker worm, which first surfaced in October 2008, manage to infect over 9 million PCs, shut down French and British military assets, and prompt a $250,000 reward from Microsoft for information leading to the arrest and conviction of the worm's creators.
Nearly a year later, the hefty reward remains uncollected while security experts continue to try and trace Conficker's origins and erase the threat. But it's still out there, as is the threat of another attack.
"It's using the best current practices and state of the art to communicate and to protect itself," Rodney Joffe, director of the Conficker Working Group, said of the worm. "We have not found the trick to take control back from the malware in any way."
After all this time, researchers are still left speculating what exactly Conficker was ultimately designed to do. It could as be simple as generating large amounts of spam, or it could record keystrokes and steal users' login information. On a larger and more frightening scale, researchers say its possible Conficker was designed by an intelligence agency or another country's military in order to monitor or disable an enemy's computers.
On the bright side, no one is sitting idly by waiting for Conficker to strike again. While security experts continue to work on ways to eradicate the worm, Conficker remains an open investigation with the FBI, who purportedly has a few leads.
According to IBM's semi-annual security report, hackers and other cyber miscreants are spending fas less time phishing as they shift their attention to other technologies to swipe your personal data.
"The decline in phishing and increases in other areas (such as banking Trojans) indicate that attackers may be moving their resources to other methods to obtain the gains that phishing once achieved," IBM said in its Internet Security Systems 2009 Mid-Year Trend & Risk Report.
Trojans, which include downloaders and info-stealers, are now the most commonly used tools of the trade accounting for 55 percent of the new malware seen, says the report. That's an increase of 9 percent over last year. The rise can partially be attributed the existence of "public-available toolkits" that malware distributors advertise as being easy to use.
It was found to have blocked 81% of live malware threats during the tests. The figure seems more imposing once you learn that the runner-up, Firefox 3, only managed to block 27% of malware threats. To boot, Microsoft’s browser also managed to block 83% of phishing URLs, with Firefox finishing second with 80%.
But Ars Technica has cast doubts over the veracity of the tests. The heavily lopsided nature of the results is not the only thing to blame for its skepticism. Amy Barzdukas, General Manager of Internet Explorer, told Ars Technica that the tests had been sponsored by Microsoft. Apparently, it ended up becoming the lone sponsor, as other companies didn’t respond to NSS Labs’ call for funding. Microsoft claims to have had no control over the results.
"We invited Google, Mozilla, Apple, Opera to participate, but they didn’t even bother to respond, except for Opera, which stated they “don’t really focus on malware," NSS Labs’ president, Rick Moy, told Ars Technica.
Forget about sophisticated attacks and increasingly complex malware schemes, the biggest threat to a company's security might be social networks and the employees who use them.
So says security firm Sophos, who reports that 63 percent of sysadmins worry about employees sharing too much information on Facebook, MySpace, and other social networking portals, ultimately putting their corporate infrastructure -- and the sensitive date on it -- at risk.
"Evidence shows that their worry is justified," Sophos wrote in the July 2009 update to its Security Threat Report. "In June 2009, the personal information belonging to the incoming head of MI6 was exposed to the entire Facebook network, when his spouse allowed members of the 'London' network to view her profile."
Sophos listed several other examples to back the claim, including a MySpace user losing over $210,000 in an email scam after his "Nigerian cyber-pal started asking for money to help her ailing mother."
But Sophos was quick to warn that completely denying access to social networking sites isn't the answer. Doing so runs the risk of driving employees to find a way around the ban, creating an even bigger risk and less oversight by the IT staff.
It’s official, spam now accounts for 90.4 percent of all e-mail sent, so if you think your spam folder is beginning to look bigger, it’s not just you.
In a report released by Symantec, they state that 1 out of every 1.1 emails is junk, and spam shot up 5.1 percent from April to May. Though, it would appear that spam has taken a more diabolical angle as of late using older more, trusted sites in order to host malware.
“Spammers using better-known and thus more widely trusted Web sites to host malware is reminiscent of the spammers who rely on well-known Web mail and social networking environments to host spam content,” stated Paul Wood, Symantec's MessageLabs Intelligence Senior Analyst. “The trustworthy older domains can be compromised through SQL injection attacks while newer sites are more likely to be flagged as suspicious--a temporary site set up with the sole purpose of distributing spam and malware--and thus faster to get shut down.”
So, remember ladies and gents, surf safe! The odds are very stacked against you.
First detected back in March, the 'Gumblar' attacks have been gaining steam lately, growing by as much as 188 percent in just a single week, ScanSafe warned. Gumblar refers to a Web attack that plants malicious scripts on normally legitimate websites, which then redirects Google search results on victims' PCs.
"A typical series of website compromises reaches peak within the first week or so and subsequently begins declining in intensity as detection is added by signature vendors, user awareness increases and website operators begin cleaning the affected sites," ScanSafe senior security researcher Mary Landesman, said late last week in an advisory.
In Gumblar's case, the opposite has been true, a result of website administrators being affected by the attacks. According to ScanSite, some well known sites have fallen prey to Gumblar include Tennis.com, Variety.com, and Coldwellbanker.com.
Keep those virus definitions up to date, and if you haven't done so already, look into installing an AV app.
Bit Torrent user’s who scored pre-released versions of the Windows 7 RC may have gotten more then they bargained for. Malware-laced copies of Microsoft’s newest OS were seeded to torrents in late April, and security researchers are warning users who may have downloaded Windows 7 from non-Microsoft sources, to format, and reinstall their OS.
Adoption rate of the pirated version has slowed since the official release, but as many as 27,000 machines were estimated to be compromised when the command and control center for the bot net was located and finally shut down on May 10th by authorities. Currently, researchers at Damballa are monitoring installations of the infected version, and estimate that approximately 1,600 new machines are added per day. The good news here is that new installations won’t be drafted into the bot net, but it’s still not a good idea to run software from non-trusted sources.
Blocking this type of infection is difficult researchers confess since the Trojan was integrated into the OS installer, and it became active immediately following setup. The situation is also compounded by the reality that Windows 7 still has very limited anti virus options. Operating systems however aren’t the only attack vector for those looking to poison torrents. Similar malware infested Trojans were found in other popular torrented applications including iWork 09 and even Photoshop CS4.
AutoRun and AutoPlay, Microsoft's "dangerous duo" for launching programs from CD/DVD and other removable media types, have become among malware authors' favorite infection vectors - and Microsoft has finally said, "enough already!"
A research study by Forefront Client Securitycited by the Engineering Windows 7 blog determined that infections that can be started with AutoRun amounted to 17.7% of detected infections in the second half of 2008.
Although AutoRun was originally designed strictly for optical media, it can be used for other types of media. For example, you can create an autorun.inf file that adds the program on the media to the AutoPlay menu Windows displays, and change the default icon to make the malware program mimic a legitimate program. Conficker used this method to spread, as illustrated here.
Starting in Windows 7 RC, Microsoft has changed how both AutoRun and AutoPlay work:
AutoPlay no longer supports AutoRun on non-optical removable media. An autorun.inf file on a USB or other type of non-optical removable media will be disregarded. Only AutoPlay options that pertain to the types of files on the media will be listed.
When AutoPlay displays programs present on the media, the dialog now states that those programs will be run from the media.
To learn more about these changes, and to find out what other Microsoft operating systems will eventually get similar protection, join us after the jump.
After nearly three years of development, Panda Security today released the public beta of its Panda Cloud Antivirus, which the company claims is the first free cloud-based antivirus thin-client. By taking AV duties to the cloud and combining it with local detection technologies, Panda says it can do a better job at protecting your PC than a traditional virus scanner.
"Thanks to Panda Security's Collective Intelligence malware and goodware online database, Panda Cloud Antivirus detects more malware than traditional signature-based solutions which take longer to detect the most recent, and therefore most dangerous, variants," Pedro Bustamanta, Panda Senior Research Advisor, wrote in a blog entry.
The local portion of the program takes up roughly 50MB of hard drive space while consuming about 17MB of RAM, according to a Cnet report. By the time Panda Cloud Antivirus exits the beta stage, Bustamante hopes to have the RAM consumption down to 12MB.
One potential downside to relying on the cloud for antivirus protection is that your PC would be left vulnerable without an internet connection. But not to worry, says Bustamante, who clarified that a local cache copy of Collective Intelligence is kept on the PC for just such scenarios.