User Rating Poll

Wednesday, June 20, 2012

Microsoft has issued an emergency security patch (Flame malware)


Microsoft has issued an emergency security patch (Flame malware)

June 4, 2012 — bluecollarpc


Microsoft has issued an emergency security patch (Flame malware) (FIX LINK!)

DOWNLOAD FIX: (OR at RUN Windows Updates)
Microsoft Knowledge Base Article 2718704
http://support.microsoft.com/kb/2718704

Fw: US-CERT Current Activity – Unauthorized Microsoft Digital Certificates
http://tech.groups.yahoo.com/group/BlueCollarPCSecurity/message/1777
This document can also be found at
http://www.us-cert.gov/current/#microsoft_unauthorized_digital_certificates

INFECTED?
Flamer removal tool from Bitdefender
Help Net Security
It goes places where other spyware doesn’t go, retrieves information others don’t retrieve, and ensures the infected computer has no privacy whatsoever,”said Catalin Cosoi, Bitdefender’s Chief Security Researcher. “Luckily, the Bitdefender removal tool …
http://www.net-security.org/malware_news.php?id=2128

——–
Microsoft Security Advisory (2718704)
Unauthorized Digital Certificates Could Allow Spoofing
http://technet.microsoft.com/en-us/security/advisory/2718704
Published: Sunday, June 03, 2012
Version: 1.0
Affected Software and Devices
This advisory discusses the following affected software and devices.
Operating System
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Affected Devices
Windows Mobile 6.x
Windows Phone 7
Windows Phone 7.5
———-

WARNING!
Flame malware hijacks Windows Update to spread from PC to PC
Ars Technica
The Flame espionage malware targeting Iranian computers contains code that can completely hijack the Windows update mechanism that Microsoft uses to distribute security patches to hundreds of millions of its users, security researchers said Monday….
http://arstechnica.com/security/2012/06/flame-malware-hijacks-windows-update-to-propogate/

INFECTED?
Flamer removal tool from Bitdefender
Help Net Security
It goes places where other spyware doesn’t go, retrieves information others don’t retrieve, and ensures the infected computer has no privacy whatsoever,”said Catalin Cosoi, Bitdefender’s Chief Security Researcher. “Luckily, the Bitdefender removal tool …
http://www.net-security.org/malware_news.php?id=2128

Homeland Security warns businesses about new cyber weapon
Examiner.com
Webroot said they first encountered a sample of Flame malware in December 2007. Researchers believe Duqu may have been created in August 2007. The first variant of Stuxnet did not appear on computers until June 2009. Cyber security experts at Kaspersky …
http://www.examiner.com/article/homeland-security-warns-businesses-about-new-cyber-weapon

Microsoft certificate used to sign Flame malware, issues warning
http://www.zdnet.com/blog/btl/microsoft-certificate-used-to-sign-flame-malware-issues-warning/78980

=========

Cover Story: Cyber spy program Flame compromises Microsoft security system
http://news.yahoo.com/cyber-spy-program-flame-compromises-key-microsoft-security-170651458–abc-news-topstories.html

Microsoft certification authority signing certificates added to the Untrusted
Certificate Store
3 Jun 2012 5:55 PM
IN FULL:
http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx
“Today, we released Security Advisory 2718704, notifying customers that
unauthorized digital certificates have been found that chain up to a Microsoft
sub-certification authority issued under the Microsoft Root Authority. With this
blog post, we’d like to dig into more technical aspects of this situation,
potential risks to your enterprise, and actions you can take to protect yourself
against any potential attacks that would leverage unauthorized certificates
signed by Microsoft
We’d also like to share how this issue relates to a complex piece of targeted
malware known as “Flame”. As many reports assert, Flame has been used in highly
sophisticated and targeted attacks and, as a result, the vast majority of
customers are not at risk. Additionally, most antivirus products will detect
and remove this malware. That said, our investigation has discovered some
techniques used by this malware that could also be leveraged by less
sophisticated attackers to launch more widespread attacks. Therefore, to help
protect both targeted customers and those that may be at risk in the future, we
are sharing our discoveries and taking steps to mitigate the risk to
customers….. “
IN FULL
http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx

RELATED LINK
Security Advisory 2718704,
http://technet.microsoft.com/en-us/security/advisory/2718704

=========
Microsoft certificate used to sign Flame malware, issues warning
ZDNet (blog)
By Zack Whittaker | June 4, 2012, 6:04am PDT
Summary: Microsoft has issued a security advisory warning and a high-priority update after parts of the Flame malware were signed with Microsoft-issued certificates. Microsoft has issued an emergency …
http://www.zdnet.com/blog/btl/microsoft-certificate-used-to-sign-flame-malware-issues-warning/78980
=========

OLDER

Term of the Day: Flame Virus
http://tech.groups.yahoo.com/group/BlueCollarPCSecurity/message/1743

Flame Malware: All You Need to Know
Network World
Because of this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a …
http://www.networkworld.com/news/2012/053012-flame-malware-all-you-need-259713.html?hpg1=bn

FAQ: Flame, the “super spy”
The H
by Jürgen Schmidt The spyware worm Flame is being billed as a “deadly cyber weapon”, but a calmer analysis reveals it to be a tool by professionals for professionals that doesn’t actually have that many new features compared to, say, the widespread …
http://www.h-online.com/security/features/FAQ-Flame-the-super-spy-1587063.html

Flame: Trying to Unravel the Mystery of ‘Sophisticated’ Spying Malware
PBS
Reportedly capable of taking computer screenshots, logging keystrokes and even listening in on office conversations, malware known as “Flame” is grabbing international attention after appearances in Iran and elsewhere in the Middle East….
http://www.pbs.org/newshour/bb/science/jan-june12/theflame_05-30.html

New malware Flame said to be “the most complex threat ever discovered”
allvoices
By arkar
If reports are to be believed, a malware identified as Flame has, for the past two years, been collecting private data from such countries as Iran and Israel and is being described as “one of the most complex threats ever discovered…..
http://www.allvoices.com/contributed-news/12267165-new-malware-flame-detected-said-to-be-the-most-complex-threat-ever-discovered

Flame ‘first Windows-based malware ever observed to use Bluetooth’
CSO (blog)
Despite all the hype I’ve complained about these last few days regarding Flame, there is some interesting research from the vendor community worth noting here,
including the malware’s affinity for Bluetooth. Symantec sent me the details in an email …
http://blogs.csoonline.com/malwarecybercrime/2203/flame-first-windows-based-malware-ever-observed-use-bluetooth

Don’t Get Burned By ‘Flame’ Malware Attack
PCWorld
Weighing in at 20 megabytes, and somewhere around 750000 lines of code, Flame is much closer to a commercial application like Microsoft Word, or Intuit’s Quicken than it is to the vast majority of malware attacks out there. The question is should you …
http://www.pcworld.com/article/256499/dont_get_burned_by_flame_malware_attack.html

UPDATE EDIT…..
Flame malware made to self-destruct after discovery —Symantec
GMA News
Shortly after it was discovered and made public, the “Flame” (or “Flamer”) malware, which security vendors have described as a potent super cyber-weapon, received a command from its creator to self-destruct. According to security vendor Symantec, …
http://www.gmanetwork.com/news/story/261076/scitech/technology/flame-malware-made-to-self-destruct-after-discovery-mdash-symantec
 
Flame authors order infected computers to remove all traces of the malware
Computerworld
By Lucian Constantin IDG News Service – The creators of the Flame cyber-espionage threat ordered infected computers still under their control to download and execute a component designed to remove all traces of the malware and prevent forensic analysis …
http://www.computerworld.com/s/article/9227876/Flame_authors_order_infected_computers_to_remove_all_traces_of_the_malware
 
Flame gets suicide command
Register
By Richard Chirgwin 
The controllers of the Flame malware have apparently reacted to the publicity surrounding the attack by sending a self-destruct command. According to Symantec, some command-and-control machines have sent …
http://www.theregister.co.uk/2012/06/07/flame_suicide_command/

Posted by at No comments:

Users Asks: Signs of a backdoor Trojan ?


Users Asks: Signs of a backdoor Trojan ?

March 28, 2012 — bluecollarpc
Hello all…. I go by the handle of ‘antibotnet’ at Yahoo Answers > Security. Here is a helpful question and answer I thought to share…

QUESTION:
Signs of a backdoor Trojan?
If i had a backdoor intruder on my machine what would i notice to make me suspicious?
http://answers.yahoo.com/question/index?qid=20120328132628AA1JHMk

MY ANSWER:
In older days going back at least five years ago and more, malware was practically always obvious as to “something seems to be running in the background”. This is because computers were much smaller and specifically with RAM Memory which is kind of a cache of memory used by like all the start up programs you see the little icons for down in the lower right system tray and running programs. RAM Memory was very small at the release of Windows XP (2001) which it was common as from the factory at 256K RAM. This led to the famous coined phrase “512M RAM Upgrade” which was simply adding another 256M RAM memory stick inside the computer, a snap in.

Today it is common to see 1Gig RAM as small and inefficient and probably on now legacy left over com puters for sale. Most new ones are beginning at 2Gig RAM which is 8 times the size as the above XP example at 256M RAM. 3Gig of RAM is quite common place now in new PCs and 4Gig RAM but with expandable to a whopping 8 Gigs !! !

That being said – and adding the upgraded processors that are now dual and quad processors with much higher speeds as standard equipment and being on broadband leaving dial up in the dust as a 56K connection compared to 1M and up to 4G broadband/dsl connectivity speeds – all that being said, it is not that easy at all to ‘SUSPECT SOMETHING RUNNING IN THE BACKGROUND because the PC navigation has bogged down time to time when you are not running stuff.

((NOTE: What of malware bogs down the system ? Spyware that is broadcasting out – copied files, screen snapshots, keylogger data, etc. Mass-mailing worm. Downloader Trojan or Rootkit that are installing more malware. Full blown Botnet Infection that may contain all of the above plus has added some P2P (peer to peer) software and is using the machine to not only download and upload piracy software and files – but also is continually spewing illegal crimewares as viruses and worms and spywares etc.)))

Like you are not mega multi-tasking with like 4 programs open and running. You might have one thing open you are doing and in older days when you additionally where navigating around the system like opening another program or additionally starting up a new email – suddenly the whole system almost would go to a crawl – bogged down navigation, terribly.

THAT was a sure sign there was malware running in the background and generally as spyware or a worm such as a spam worm emailing everyone in an address book of email addresses on the computer.
Backdoor threats as Trojan Downloaders are actually more newer in malware somewhat well after the middle of this past decade. As comparison, these were virtually unheard of going back 7 years and further. Again, because of the larger computer sizes and upgrades – it is much, much more difficult to simply sense a malware as these running in stealth, not naked to the visible eye.

The best thing to do is simply install and use quality antimalware that has both antivirus and antispyware and Real Time Protection processes. Adding a personal software firewall aids that too. Perform Full Scans at least once a week !

What would make you suspicious ? IDTheft, new malware installed and not knowing how – are two suspicious symptoms of backdoor threats. This is what they do.

SEE:
Glossary of Malware
http://www.westcoastlabs.org/
Backdoor – A Backdoor is a secret or undocumented way of gaining access to a program, online service, computer or an entire computer network. Most Backdoors are designed to exploit a vulnerability in a system and open it to future access by an attacker. A Backdoor is a potential security risk in that it allows an attacker to gain unauthorized access to a computer and the files stored thereon.

Source(s):
Threats FAQs
Threats Frequently Asked Questions
http://bluecollarpc.us/Threats_FAQs.html
How to Remove a Backdoor Trojan Computer Virus
http://www.ehow.com/how_5164888_remove-backdoor-trojan-computer-virus.html
Backdoor Santas
http://www.bleepingcomputer.com/tutorials/tutorial41.html
Backdoor.Trojan | Symantec
http://www.symantec.com/security_response/writeup.jsp?docid=2001-062614-1754-99
Trojan Downloader Featured Articles
http://www.ehow.com/trojan-downloader/

Posted by at No comments:

User Question: Should I disable updates then update programs when necessary?


User Question: Should I disable updates then update programs when necessary?

March 28, 2012 — bluecollarpc
Hey all…. I go by the handle of “antibotnet @ yahoo.com” at Yahoo Answers > Security. Here is a new question I am blogging as answer contents are pretty standard ven as a “form answer” for these type standard questions you meet over and over again, all slightly different:

Should I disable updates then update programs when necessary?
“I’m a rookie network administrator. I sysprep my machines twice a year on a schedule. I’m thinking this time I should lock down the usual but also disable all updates from all software and Windows 7. When an update comes along that is worthy I can then update the machines individual. Last time I used GPO it uninstall all the programs instead of installing them. Very odd. I’ve heard it is “unsafe’ to not always update your OS but I’m thinking almost everything were using is web-based. What do you all think?
Note: I will always let AVG update. “
FULL:
http://answers.yahoo.com/question/index;_ylt=AnyXcm_aRycJOo1WdNm9.Ksw5XNG;_ylv=3?qid=20120328130039AAzYR2o

This is very specific to your network usage in security and allowances. Anywhere from a Home Network all the way up to Home/Small Business (and anything in between) is indicated and you were not specific. Generally, I don’t know anyone that would give away this type consultation for free, as generally IT Security et al freelancing can start with a preliminary environment evaluation at price, (which is what I do) adding hourly flat fee starting at $150.00 and then a contract price for specific services rendered — which is apparently what you are seeming to ask for free – a Preliminary Environment Evaluation, or onsite impression of existing set up.

TIP: Basically as far as computer security, the general recommendations are all things up to date all the time. Security Updates are not eye candy. They are for specific necessary defense which left undone can cause a liability for you personally according to whatever the network usage is. SEE the infamous JiffyLube case whereby they were held responsible. That should put you in the right frame of mind and away from bad disingenuous advice.

TIP: Windows Updates have historically not been found at fault at all when applied when some programs/softwares may have been “broken”. This has been historically the software creator(s) fault – NOT Microsoft Windows Updates. That is one example of less than acceptable IT people that ignorantly always chronically blame Microsoft for all the “woes” that are, in reality, virtually always self made or lax third party softwares faults.

TIP: Security wise – ALL softwares are to be up to date ALL the time with vendor updates. Secunia PSI is excellent. Installed softwares are a “SOFT TARGET” for cyber criminal crimewares now to gain entry into the system or network.

Have Hardware Firewalls been activated additionally – and as well in modems ?

NOTICE: Security Updates via Windows Updates are ONLY sent out each Second Tuesday of the month (if any, usually are) which has been dubbed “Patch Tuesday”. If there is an Emergency Patch such as for a new “zero day threat” – these are issued as soon as ready – immediately – as an “OUT OF CYCLE PATCH” as an emergency patch.

IMPORTANT: It is difficult to determine your “twice yearly” updating mentioned as you did not give specifics. Try and be very particular and clear about items with detail. If you meant Windows Updates – well as you can see, and as you mentioned, you are definitely a “rookie network administrator ” as you say and the PCs in network are most likely in severe need of upgrading immediately.

If you meant OS (operating system) Upgrades twice yearly – that does not make sense as these Upgrades have been the releases of XP, Vista, Windows 7 and then 8 – as example and years apart, not occurring ” twice yearly”.

ADVICE: Considering cyber events as corporate “Blended Threats” , CEO type Phishing targeting, bots, I would re-evaluate your “security solution” mentioned as bi-yearly patching and AVG Business. There are a good handful of products well above in quality and documented defense such as Trend Micro for one. You can be polite to a mutt – but will it defend you as completely as a well trained thorough bred ? Or run away squealing and yelping ?

Source(s):
http://en.wikipedia.org/wiki/Group_Policy
http://support.microsoft.com/kb/302577

Posted by at No comments:

How To Use HiJackThis to find Malware infection Part One


How To Use HiJackThis to find Malware infection Part One

March 16, 2012 — bluecollarpc
How To Use HiJackThis to find Malware infection Part One


HijackThis – Trend Micro USA (Genuine Freeware) [wrkx w/ Netbooks]
Trend Micro HijackThis is a free utility that generates an in depth report of registry and file settings from your computer.
http://free.antivirus.com/hijackthis/
http://en.wikipedia.org/wiki/Hijackthis
http://sourceforge.net/projects/hjt/
HiJackThis UPDATED:
Trend Micro Releases HijackThis Source Code to sourceforge.net
MarketWatch (press release)
http://www.marketwatch.com/story/trend-micro-releases-hijackthis-source-code-to-sourceforgenet-2012-02-17

RUNNING A HJT LOG ANALYSIS PART ONE
There is always this need to review this magic utility – how to use it responsibly and SAFELY.
( FYI…. (for your information) The niks [nick names] are “HJT” and “HJT Log Help” and “HJT Log Analysis” – HiJackThis Log help – you may see around at forums etc. )
If you have never performed a HiJackThis Analysis, they are a simple quick look at start up items which may reveal malware installed that is starting up with the computer system and other softwares installed, and set to run every start up. An HJT Log may show a resident threat in some areas. It can reveal malware toolbars installed and possibly other threats misusing an Active X item. HJT generates a sort of system read out snapshot in a text log file that can be examined in depth.

HiJack This was NEVER designed to be a malware remover. It is NOT to be used as one or as a substitute for one. It is always mentioned to the average user to NEVER make changes to the computer with HiJackThis, but rather go to an Advanced User or Professional help online or elsewhere as a friend in the know and savvy at malware removal help. Mistaken use may cause damage to the system and/or other softwares rendering them inoperable.

IF YOU WERE TO CHOOSE “FIX THIS” ….. UH-OHH
If you clicked “Fix This” on any valid process or software – it may delete or corrupt that part of the Windows OS (operating system) or other softwares – now rendering them inoperable. NEVER click “Fix This” unless you are an Advanced User or Professional or have been directed to do so by one.
This may delete the executable file and possibly a “run” registry key, etc.
It can not delete/uninstall malware payload files and registry key entries – the FULL threat – and these left overs can be re-used by malware and potentially hide from antimalware products now. They may also, being orphaned (executable deleted, payload remnant = orphans), being orphaned may be used by a rootkit to hide from detection as an inert file not deemed as a threat during antimalware scans. At best, quality antimalware products may detect these possibly – possibly – as variants and quantine / remove these during a scan. Proabaly not.

In cases of in the wild threats or other severe threats rifling and hijacking control of the PC, their executable showing up in the scan/log HJT Log —- to regain control of the computer for the User it may possibly be used to delete the start up entry – the executable generally – “malware.exe” fantasy example. If it is a known malware threat (s) – their payload installation files can be found in full from online malware databases. Having regained control of the computer by deleting the executable from start up, the rest of the payload can now be manually removed. In cases of in’the-wild threats’ – the executable deleted can give control back of the PC, and a follow up to delete the entire installation manually will have to be performed when the payload is known and posted publicly. It should be cautioned to the user in this state to either not use the PC or just very sparingly as instability may occur or further infection activity.

That/this is all because generally the user has no Emergency Repair CD to reinstall Windows and needs the hail mary scenario to save their Computer from the trash – purchased by their hard earned sawbucks and as not being able to replace in the near future – stuck without a PC. It may be used in cases just to regain control of the PC to be able to access private files one wishes to back up – make a copy of – before reinstalling the system to Factory Fresh – wiping the entire disk first, another hail mary to save important files or documents, pictures, movies, etc. If the User is aware of that, proceed with that understanding.

Bottom line….. If you irresponsibly use, or give instructions to irresponsibly use, HJT – ignoring example hazards and damge warnings above – you may find it all come back on you by some smear blitz over the internet about “so and so destroyed my computer that creep ! ” to say the least. If you are a professional or company, you may be sued for damages for gross negligence and deceptive practices and destruction of computer equipment. That would have to be defined by Lawyers and the Court.

PART TWO WILL SHOW THE ACTUAL ANALYSIS. >>>
Click > Do System Scan and Create Log File

Posted by at No comments:
Subscribe to: Posts (Atom)