November, 2011:

A new BETA version of MSE is available with limited participation.  Good technical skills are usually required to support beta testing in case issues surface. 

Microsoft Security Essentials beta registration opens
http://blogs.technet.com/b/mmpc/archive/2011/11/18/microsoft-security-essentials-beta-registration-opens.aspx

This blog highlights new Facebook attacks

Facecrooks – Facebook Safety Blog
http://facecrooks.com/

Facecrooks – Best Practices in using Facebook
http://facecrooks.com/Safety-Center/Safety-Center.html

Facecrooks – Privacy and Security made simple
http://facecrooks.com/Safety-Center/Facebook-Privacy-and-Security-Made-Simple.html

Please avoid suspicious links like this on Facebook

Facebook – Avoid the 15 Second video challenge
http://blog.eset.com/2011/11/13/facebook-video-scam-15-seconds-dont-watch-it-at-all

QUOTE: One of my Facebook friends drew my attention today to a fast-spreading link. I’m pleased to say that he knew better than to look at it, but I figured it was worth seeing what it was all about. The link comes with this message, according to Facecrooks.com (a good place to check for stuff like this):

98 Percent Of People Cant Watch This Video For More Than 15 Seconds

CLICK LINK TO WATCH VIDEO & SEE HOW LONG YOU CAN LAST!!

Needless to say, clicking the link is not a good idea. It’s a survey scam: if you do follow the link, it takes you to a fake Facebook page that looks as if it contains a video, but if you click the “play” button, it loads a “Share” box so that you can irritate all your friends by spamming them with the same message

Below are key resources for improving Hyper-V security 

Simple Security Recommendations When Using Hyper-V
http://technet.microsoft.com/en-us/security/hh535714

QUOTE: Microsoft has a few articles on TechNet that outline some of the key aspects of a secure deployment of the Hyper-V virtualization technology, a feature of Windows Server 2008 R2.

Microsoft Hyper-V Security Best Practices
http://technet.microsoft.com/en-us/library/dd283088(WS.10).aspx

— Use a Server Core installation of Windows Server 2008 for the management operating system.
— Do not run any applications in the management operating system—run all applications on virtual machines.
— Use the security level of your virtual machines to determine the security level of your management operating system.
— Do not give virtual machine administrators permissions on the management operating system.
— Ensure that virtual machines are fully updated before they are deployed in a production environment.
— Ensure integration services are installed on virtual machines.
— Use a dedicated network adapter for the management operating system of the virtualization server.
— Use BitLocker Drive Encryption to help protect resources.

Additional Recommendations

• Hyper-V Technical Resources
• Hyper-V Getting Started Guide
• Planning for Hyper-V Security

As Trend Labs notes, the FBI’s Operation Ghost Click initiative is so far the largest cybercriminal shutdown in history

FBI Operation Ghost Click – Largest Cybercriminal shutdown in history
http://blog.trendmicro.com/esthost-taken-down-%e2%80%93-biggest-cybercriminal-takedown-in-history/

QUOTE:  On November 8, a long-living botnet of more than 4,000,000 bots was taken down by the FBI and Estonian police in cooperation with Trend Micro and a number of other industry partners.  In this operation, dubbed “Operation Ghost Click” by the FBI, two data centers in New York City and Chicago were raided and a command & control (C&C) infrastructure consisting of more than 100 servers was taken offline. At the same time the Estonian police arrested several members in Tartu, Estonia. Here is the link to the press release of the FBI.

The botnet consisted of infected computers whose Domain Name Server (DNS) settings were changed to point to foreign IP addresses. DNS servers resolve human readable domain names to IP addresses that are assigned to computer servers on the Internet. Most Internet users automatically use the DNS servers of their Internet Service Provider.  The following links relate to this entry:

• Making a Million, Part One—Criminal Gangs, the Rogue Traffic Broker, and Stolen Clicks
• Making a Million, Part Two—The Scale of the Threat
• A Cybercrime Hub

Sunbelt security warns of holiday package delivery scams and other threats where PDF malware may be circulating

PDF Malware – Increase for holiday season
http://sunbeltblog.blogspot.com/2011/11/pdf-malware-is-back-in-season.html

QUOTE: Avid readers of the GFI Labs blog can attest that they’re no strangers to this kind of attack: one receives an email purporting to have come from a legitimate company with an attached Adobe .PDF file claiming that it’s either a receipt, a document, or a ticket. Claims of what the attachment is supposed to be varies, but what remains consistent is that the email always instructs recipients to open it and / or save it on their computer.

Our researchers in the AV Labs have been seeing an uptick of this particular campaign, which pose as a message from the United States Postal Service (USPS) and bears the subject “Package is was not able to be delivered please print out the attached label”.

AV-Test noted some limitations in recent tests for Android AV products, which are continuing to improve and handle these new threats. Kaspersky, F-Secure, and Zoner were rated among best current solutions

Report: Most Free Android Antivirus Apps Useless
http://securitywatch.pcmag.com/security-software/290411-report-most-free-android-antivirus-apps-useless

QUOTE: Each product was installed on an Android device containing inactive specimens of over 150 recent Android threats. Researchers ran an on-demand scan and recorded how many threats were detected. Kaspersky and F-Secure detected over half. The best free product, Zoner Antivirus, caught 32 percent. All the rest detected under 10 percent, and some didn’t detect any samples at all.

Below are 6 recommendations for protection:

PC Magazine — Six Ways to Protect Yourself from Duqu
http://securitywatch.pcmag.com/malware/290204-six-ways-to-protect-yourself-from-duqu
http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/231902310/five-things-to-do-to-defend-against-duqu.html?itc=edit_stub

QUOTE: Six Ways to Protect Yourself from Duqu

1. Microsoft Hotfix available
2. AntiVirus updates
3. Avoid unknown documents
4. Monitor for infected machines on network
5. Watch Port 443 traffic that’s unencrypted
6. Keep an eye out for ~DQ files

Microsoft Hotfix available
http://www.pcmag.com/article2/0,2817,2395861,00.asp

These important security updates should be applied promptly:

Microsoft Security Release – November 2011
http://technet.microsoft.com/en-us/security/bulletin/ms11-nov
http://blogs.technet.com/b/srd/archive/2011/11/08/assessing-the-exploitability-of-ms11-083.aspx

ICS Analysis
http://isc.sans.edu/diary.html?storyid=11971

QUOTE: The vulnerability presents itself in the specific scenario where an attacker can send a large number of specially crafted UDP packets to a random port that does not have a service listening. While processing these network packets it is observed that some used structures are referenced but not dereferenced properly. This unbalanced reference counting could eventually lead to an integer overflow of the reference counter

A sophisticated attack called DNSchanger was successfully shutdown by the FBI.

FBI takes out $14M DNS malware operation
http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911
http://www.networkworld.com/community/blog/fbi-takes-out-14m-dns-malware-operation
http://www.f-secure.com/weblog/archives/00002268.html

QUOTE: US law enforcement today said it had smashed what it called a massive, sophisticated Internet fraud scheme that injected malware  in more than four million computers in over 100 countries while generating $14 million in illegitimate income. Of the computers infected with malware, at least 500,000 were in the United States, including computers belonging to U.S. government agencies, such as NASA.

Details of the two-year FBI investigation called Operation Ghost Click were announced today in New York when a federal indictment was unsealed against six Estonian nationals and one Russian national.  The six cyber criminals were taken into custody yesterday in Estonia by local authorities, and the U.S. will seek to extradite them. In conjunction with the arrests, U.S. authorities seized computers and rogue DNS servers at various locations.

Beginning in 2007, the cyber thieves used malware known as DNSChanger to infect computers worldwide, the FBI said.  DNSChanger redirected unsuspecting users to rogue servers controlled by the cyber thieves, letting them manipulate users’ web activity.  The defendants also inflicted the following:

* Unwitting customers of the defendants’ sham publisher networks were paying for Internet traffic from computer users who had not intended to view or click their ads.

* Users involuntarily routed to Internet ads may well have harbored discontent with those businesses, even though the businesses were blameless.

* And then there is the harm to the users of the hijacked computers. The DNSChanger malware was a virus more akin to an antibiotic-resistant bacterium. It had a built-in defense that blocked anti-virus software updates. And it left infected computers vulnerable to other malware.