January, 2011:

Symantec warns to be careful of potentially malicious email and websites

Chinese New Year of the Rabbit – Avoid Spam and Malware
http://www.symantec.com/connect/blogs/coming-next-chinese-new-year

QUOTE: Giving gifts for Chinese New Year is a traditional custom, not only for families but also for businesses to show their gratitude to customers. While everyone is ready to welcome the Year of the Rabbit, spammers have already provided many holiday surprises for them. Chinese New Year is on February 3 this year, about half a month earlier than last couple of years. Spammers have also adjusted their attack schedule for the upcoming festival. Product and business promotion spam have been observed since last December. Most attacks have customized the ‘From’ line alias and use promotional ‘Subject’ lines related to Chinese New Year

While the MHTML protocol is not often seen, it could be used in new attacks until this vulnerability is patched.  Please be careful if you encounter this and ensure there is a legitimate and safe use of this special protocol.

Microsoft Warns of Windows Script Injection Vulnerability
http://blogs.pcmag.com/securitywatch/2011/01/microsoft_warns_of_windows_scr.php
http://www.microsoft.com/technet/security/advisory/2501696.mspx

QUOTE: Microsoft tonight released a security advisory for a publicly-disclosed vulnerability in all versions of Windows. Security Advisory 2501696 describes a bug in the MHTML handler in Windows which could lead to information disclosure.  MHTML (MIME Encapsulation of Aggregate HTML) encapsulates HTML in a MIME structure. MIME (Multipurpose Internet Mail Extensions) is a data format for encapsulating more complex binary structures in a text-only format. Windows includes a pluggable protocol handler (MHTML:) that allows applications to render MHTML structures. Internet Explorer is one of these and it can be abused to exploit the bug in the context of a web page, causing script to be executed. The user would have click a link to an MHTML:// document.

Malware toolkits have grown more expensive (some costing up to $8,000 or more) as cybercrime continues to grow and become more sophisticated.  Trend shares an interesting perspective on what these kits contain and how they are used by malicious criminals.

Trend Labs – Do it yourself Crimeware Kits
http://blog.trendmicro.com/diy-cybercrime-exploits-loaders-and-affiliates-part-1/

QUOTE: This post is the first of a two-part report about how cybercrime kits such as exploit toolkits enable even the less technical of cybercriminals to build botnets and conduct malicious attacks.

Large-scale botnets that compromise hundreds of thousands of systems around the world receive plenty of attention and deservedly so. However, there are many smaller botnets that often escape such scrutiny. The tools and services required to create, maintain, and profit from a botnet are widely available in the cybercrime underground for a price. These do-it-yourself (DIY) cybercrime kits enable those with limited technical skills to create botnets of their own.

The tools available include exploit kits that attempt to deliver various exploits to a visitor’s system based on the availability of vulnerable software on the said system as well as on the traffic direction systems that divert visitors to other websites or that direct them to download additional malware.

Trend is warning that messages are being spammed to users, requesting that they log into a site that resembles the Facebook security home page.  Please always be careful with any email messages claiming that they originate from Facebook.  In this case avoid email messages stating your account has been blocked – instead log into Facebook and verify the status of your account directly.

Facebook Security Spoofed, Used for Phishing
http://blog.trendmicro.com/facebook-security-spoofed-used-for-phishing/

Facebook’s True Security Page
(which if you LIKE will provide critical warnings)
http://www.facebook.com/security

QUOTE: Facebook Security is the official Facebook page that the site uses to provide user-friendly security information that is particularly relevant to its users. However, it is now being used in phishing attacks.  Spammed messages purportedly from Facebook Security are being sent to Facebook users. According to the message, the user’s account has been found to be suspicious and has been blocked. Facebook Security’s account was either accessed from an unknown location or was abused.  The message then asks the user to verify and unblock the account by going to a site that turned out to be a phishing page.

Facebook’s new SSL based capabilities are a welcome improvement. As this popular site attracts malicious attackers best practices also complement this new protective approach (e.g., avoid potentially malicious links or applications, locking down privacy, careful approval of friend requests, limited Windows account, using latest version of browser, up-to-date AV protection, etc.)

Facebook Now Officially Supports HTTPS for Users
http://blog.trendmicro.com/facebook-now-officially-supports-https-for-users/

QUOTE: In line with Data Privacy Day this Friday, Facebook announced its rollout of Secure Sockets Layer (SSL) capability for all of its services. Facebook has taken some heat for its lack of SSL support, especially with the release of FireSheep, which we covered here. Facebook does warn that encrypted pages will take slightly longer to load, which is a small price to pay for the added security.  According to the official Facebook post, there should soon be a check box titled Secure Browsing (https) under the Account Security section of Account Settings. This setting specifies that all future connections be redirected to HTTPS. It should be noted that this rollout has just begun and that this option is not yet available to everyone. It may take some time before this option is made available to everyone.

During 2010, authors continue to innovate so that many malicious attacks sent a unique sample each time to evade detection. Command-and-control botnets, targeted attacks, and highly polymorphic malware families resulted in millions of unique samples captured by AV-Test during the past year.

AV-TEST reports MILLIONS of unique Malware samples during 2010
http://sunbeltblog.blogspot.com/2011/01/updated-virus-stats-from-av-test.html

AV-Test HOME PAGE
http://www.av-test.org/

QUOTE: Andreas Marx at AV-Test has shared some more information which highlights the significance of the malware problem. The numbers are staggering — AV-Test processed an average of 54k samples per day in 2010, up from an average of 33k in 2009 — and up from 426 samples per day just a decade ago.

Below are links for this excellent corporate PENTEST tool.  Architecturally, the new version uses a subroutine approach for specialized analysis to ensure the main engine stays efficient. 

PENTEST Tool — Nmap 5.50 Released
http://isc.sans.edu/diary.html?storyid=10330

Nmap 5.50 Documentation
http://nmap.org/nsedoc/

Nmap 5.50 Change Log
http://nmap.org/changelog.html

Nmap 5.50 Download (about 19MB)
http://nmap.org/download.html

QUOTE: A new update of one of the handlers’ favourite tool was released today.  A primary focus of this release is the Nmap Scripting Engine, which has allowed Nmap to expand up the protocol stack and take network discovery to the next level.  Nmap can now query all sorts of application protocols, including web servers, databases, DNS servers, FTP, and now even Gopher servers!  Remember those?  These capabilities are in self-contained libraries and scripts to avoid bloating Nmap’s core engine.

This fake attack prompts users renew their 2-factor token devices and in sharing sensitive information.

Massive Phishing Attacks Strike Bank of China Users
http://blogs.mcafee.com/mcafee-labs/massive-online-bank-phishing-attacks-in-china

QUOTE: We have noticed a lot of SMS-based web-phishing attacks in China targeting the Bank of China’s online users. They received a phishing SMS that is designed to look like it was sent by the bank as a reminder to its customers: “Dear user, your token has expired, please visit to reactivate your token.” The URL is similar to the bank’s official website but points to a phishing site that looks almost like the original bank website.

Data Privacy Day is January 28, 2011
http://dataprivacyday2011.org/

QUOTE: Despite all of the benefits of these technologies, doubts and worries persist about just how much personal information is collected, stored, used, and shared to provide these convenient and pervasive tools and services.

Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information.  In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this – what are they doing with it  – with whom are they sharing it?  Most of all, individuals are asking ‘How can I protect my information from being misused?’  These are reasonable questions to ask – we should all want to know the answers.

Some excellent Windows Update tips and techniques recently published

Servicing related questions I have seen this week – Ramblings of a Support Engineer
http://blogs.technet.com/b/joscon/archive/2011/01/26/servicing-related-questions-i-have-seen-this-week.aspx

This is a very useful table of Windows Update result codes noted in the above link:

Appendix G: Windows Update Agent Result Codes
http://technet.microsoft.com/en-us/library/cc720442%28WS.10%29.aspx