Wednesday, November 25, 2009

Rule release for today - November 25th, 2009

Extra coverage for the Microsoft Internet Explorer tag issue.

Changelogs etc, available here http://www.snort.org/vrt/advisories/2009/11/25/vrt-rules-2009-11-25.html

Monday, November 23, 2009

Rule release for today - November 23rd, 2009

Microsoft Internet Explorer suffers from a programming error that may allow a remote attacker to execute code on an affected system.

Advisory and changelog here: http://www.snort.org/vrt/advisories/2009/11/23/vrt-rules-2009-11-23.html

Help us help you

Remember how you've been hearing for years that cybercriminals would start targeting smartphones "soon"? Well, we've seen 2 iPhone worms this month alone. The first worm is "rickrolling" jailbroken iPhones in Austria Australia. The worm uses a simple hack to get a foothold on these iPhones: it is taking advantage of the fact that many users have installed SSH and have not changed the default SSH password on their phones. The second worm, which has been getting some press over the weekend, is taking advantage of the same hack and targeting ING bank customers in the Netherlands to redirect them to a phishing website.

As of August 2009, there were an estimated 13M iPhones in the US. 8.4% of these phones, or 1.1M, were jailbroken. That's a lot of phones. If you are part of that 1.1M and have SSH installed but have not changed the default SSH password, please please please do it now. Like take out your iPhone as you are reading this and follow the steps below now. Don't allow a script kiddie to mess with you or steal your data. Here's how to do it:
  • Download the MobileTerminal from the Cydia Store if you don't already have it
  • Launch MobileTerminal
  • At the prompt type 'su root'
  • You will be asked to enter the current root password to elevate your privilege. Enter 'alpine'
  • Type 'passwd' to change the password
  • You will be asked to enter the current root password. Enter 'alpine'
  • You will be prompted to enter a new password. Enter a strong password that cannot be easily brute-forced
  • Type 'exit' to exit the root account
  • At the prompt type 'passwd' to change the password of the current user
  • You will be asked to enter the current password. Enter 'alpine'
  • You will be prompted to enter a new password. Again, enter a strong password that cannot be easily brute-forced
That wasn't too hard, was it? Thanks for helping in the fight against malware.

Have a Happy Thanksgiving!

Wednesday, November 18, 2009

Rule release for today - November 18th, 2009

Rules added and modified in several categories. As usual, go here: http://www.snort.org/vrt/advisories/2009/11/18/vrt-rules-2009-11-18.html for the changelog.

Wednesday, November 11, 2009

November 2009 Vulnerability Report

Sourcefire VRT Vulnerability Report November 2009 from Sourcefire VRT on Vimeo.



November Vulnerability Report.

This month, Alain Zidouemba talks about Microsoft Patch Tuesday, the SSL renegotiation flaw and the iPhone worm.

Tuesday, November 10, 2009

Microsoft Tuesday Coverage for November 2009

A number of advisories from Microsoft this month, expect us to cover the most pressing ones in our upcoming Vulnerability Report. For now, here's a quick overview:

Microsoft Security Advisory MS09-063:
The Web Services on Devices API (WSDAPI) in Microsoft Windows Vista contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 16227.

Microsoft Security Advisory MS09-064:
A vulnerability in the Microsoft License Logging Service may present a remote, unauthenticated attacker with the opportunity to execute code on a vulnerable system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 16238 and 16239.

Microsoft Security Advisory MS09-065:
A vulnerability exists in the Windows kernel that may allow a remote attacker to execute code on a vulnerable system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 16231 and 16232.

Microsoft Security Advisory MS09-066:
A programming error in the Microsoft Active Directory NTDSA implementation may allow a remote attacker to cause a Denial of Service (DoS) against an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 16237.

Microsoft Security Advisory MS09-067:
Multiple vulnerabilities exist in Microsoft Excel that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 16226, 16228, 16229, 16230, 16233, 16235, 16236, 16240 and 16241.

Microsoft Security Advisory MS09-068:
A vulnerability in Microsoft Word may allow an attacker to execute code on an affected system via the processing of a specially crafted Word document.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 16234.

Changleogs on snort.org here: http://www.snort.org/vrt/advisories/2009/11/10/vrt-rules-2009-11-10.html

Thursday, November 5, 2009

DoJoSec meeting - November 5th

Tonight's DoJoSec has a change in lineup, since Lurene is on the PUP list for today, Matt Olney is stepping in to take her place and give a talk on "Custom Intrusion Detection Techniques for Monitoring Web Applications". This is something similar to the presentation he will give next week at OWASP Appsec DC 09 in that it has the same title. However, tonight's presentation will not be the same talk, instead it is geared more towards the audience for DoJoSec.

If you can attend, we'll see you there. There will be a few of us on hand to answer questions and chat about general security issues.

Wednesday, November 4, 2009

DoJoSec and DoJoCon

Tomorrow evening, starting at 6:00 pm, Capitol College, Laurel MD. Lurene Grenier will be giving a presentation on Byakugan. Following this event, on Friday morning, our Senior Director of the Vulnerability Research Team, Matt Watchinski, will be speaking at DoJoCon.

Check here for DoJoSec: http://www.saecur.com/dojosec.php

Check here for DoJoCon: http://www.dojocon.org/

Members of the VRT will be present at both events, and on Friday and Saturday they will be in attendance at the Sourcefire booth for DoJoCon. Come along with questions if you like or just to say hi.

Tuesday, November 3, 2009

Rule release for today - November 3rd, 2009

Adobe Adobe Adobe Adobe, we thought you only did patch releases once per quarter, guess we were wrong. Anyway, a few vulnerabilities with Shockwave. Get your rules on here: http://www.snort.org/vrt/advisories/2009/11/03/vrt-rules-2009-11-03.html

Monday, November 2, 2009

Paranoia and the rise of fake antivirus

This weekend I got a call from my father, who wanted my advice as the computer security guy in the family. It seems that my younger sister's laptop had become infected with a nasty little virus called Block Watcher, which had popped up a series of messages telling her that her computer was infected with a virus, and that she should go and purchase their product - for the low, low price of $30 - in order to clean her machine. Recognizing that something wasn't right, my sister called my father, who had in turned called me with his theory on how to best remove Block Watch, since his early attempts had been unsuccessful.

I quickly suggested that he Google for a removal tool, since modern malware is much more difficult to remove than anything he'd be familiar with (his last experience removing a virus was some time in the early-to-mid 1990's). A half-hour or so later, he called back, and said that while he'd found a removal tool, something about the site made him uneasy, and he wanted me to take a look and see if I could tell whether it was legitimate. When I pulled up the site - hxxp://removal-tool.com (WARNING: LIVE MALWARE!) - it seemed just as odd to me as it had to him, so I decided to do a bit of research on the site itself. When I put the domain name itself into Google, one of the first hits was a blog post from respected malware researchers TrendMicro showing how this exact site was delivering malware itself!

I downloaded a copy of the executable that the site suggested could be used to remove Block Watch and ran it through the free ThreatExpert.com analysis tool; the results are here. In addition to creating several files and registry entries on the target machine, the program opened up UDP port 1053 - as clear of a sign of a back door as you'll ever get (in fact, SANS shows a recent uptick in activity on this port, and lists a pair of trojans associated with it.

The question I'm sure you have by now is, "So what? Why do I care?". The answer is simple: this sort of fake anti-virus scam is on the rise, and many users on networks that you run and/or are charged with defending aren't as suspicious as my father and my sister. In fact, according to a recently released report from Symantec, there were roughly 43 million attempts to install fake anti-virus software between July 1, 2008, and June 30, 2009. If you're watching over even a moderately large network, chances are that at least a few of your users have run across something like this.

Clearly, it's in your best interests as a network security professional to educate your users about scams like these - perhaps with the simple rule of thumb that "if any program on your system tells you that you have a virus, contact the IT department immediately." It doesn't hurt to run the VRT Certified rule set, either, since our spyware category contains rules for some of the most prevalent threats, like Spyware Guard 2008 (SIDs 16134 & 16135).

Oh, and whatever you do, don't trust McAfee's SiteAdvisor for a determination on whether a particular web site is clean - they rate removal-tool.com as clean, despite the fact that 11 of the 17 user-submitted reviews on McAfee's own page say the page contains "Adware, spyware, or viruses". Clearly someone over there isn't paying attention. ;-)