Microsoft is working furiously to fix a deep vulnerability in Windows. This vulnerability has affected lots of third party software vendors, and has hit Adobe Reader particularly hard. 

This vulnerability is being very actively exploited in the wild, both through infected email and through infected web sites.  It is propagated via infected .pdf files.   Therefore it is very important to download and install the latest patch to Adobe reader.  We advise all readers to check to see if they have Reader version 8.1.1, and if they don’t, to install it immediately.

Also, look for a patch from Microsoft in the near future.    We predict Microsoft will issue a patch ASAP, and not wait for their normal second Tuesday update cycle because this vulnerability is so important to get plugged.

For more information:

http://www.theregister.co.uk/2007/10/26/microsoft_scrambles_to_fix_windows/

Computers that have been compromised and turned into remote control attack machines, otherwise known as Zombies, are becoming a significant problem.

These compromised computers are being used to attack a variety of Internet servers in a number of countries. These attacks can shut down web sites by overloading their servers with traffic.

For more information:

CypherTrust.com is a good source of information about Zombies and other security threats.

Your Mama always told you, “Don’t accept candy from strangers”.

Well, don’t accept e-cards from strangers, either.

And your Mama would tell you the same about e-cards, if she knew what was in them.

You see, they are likely to make your computer sick.

Sick as in virus infection. Way bad.

An new round of malicious e-greeting card spam is landing in in-boxes. It usually has the subject line “You’ve received a postcard from a family member!”

Whatever you do, do not open these spam emails, and do not click on the links.

If you do, you will be taken to a malicious web site that will attempt to install a variant of the Storm Trojan horse.

“Today’s greeting-card gambit tries a trio of exploits, moving on to the second if the machine is not vulnerable to the first, then on to the third if necessary. The first is an exploit against a QuickTime vulnerability; the second is an attack on the popular WinZip compression utility; and the third, dubbed “the Hail Mary” by the ISC, is an exploit for the WebViewFolderIcon vulnerability in Windows that Microsoft Corp. patched last October.”

Source: ComputerWorld

This demonstrates the importance of updating all software to the latest versions. In this case, QuickTime WinZip and Windows are the targets. Users who have updated to the latest versions are protected.

And of course, it demonstrates the importance of being suspicious of all email that lands in your inbox.

One of the benefits of “virtual machine” software, such as Sandboxie and Greenborder and others, is that they purport to protect a Internet user form malware infection by containing the infection to the “virtual machine”.

We do recommend the use of such software, but users should be aware that virtual machine software is not invulnerable to exploitation, just as is any complex piece of software. Users should be careful to update these programs whenever updates are offered, as they may fix security vulnerabilities.

Source:
http://googleonlinesecurity.blogspot.com/2007/05/on-virtualisation.html

Google researchers have found malware lurking in 450,000 web sites, out of 4.5 million sites studied…. An amazingly large percentage.

Correction: Google researchers have clarified and revised their statements and it turns out that out of the Internet as a whole, they estimate less than 0.1% of web sites attempt to infect visitors with malware. Their original statements were speaking of a “subset” of risky sites that contained the much higher percentage of malware.
Source: http://news.com.com/8301-10784_3-9721866-7.html

Many of the attacks focused on security defects in various programs that have Internet access. This is why updating those programs is critical to maintaining a secure computer or computer network.

Besides the obvious programs. such as Internet Browsers, don’t forget to update programs such as QuckTime, Flash, Real Media, Microsoft Office, Outlook Express, Adobe Reader and all your anti-virus and anti-spyware programs, etc.

Many users don’t even know they have QuckTime and Flash and many of these other programs on their computers.

For more information:
http://news.com.com/8301-10784_3-9719590-7.html?tag=head

A new Trojan horse attack has been identified in the wild, named Trojan.Kardphisher by Symantec. This Trojan horse uses *very* clever social engineering to steal the credit card numbers from users.

If infected, you will be presented with a very realistic looking warning that your copy of Windows has been activated by another user, and you will be asked to enter personal data including a credit card number, in order to re-activate your Windows license. It tells you that your credit card is basically for identification purposes only and will not be charged. (Rest assured, it will be charged.)

This Trojan takes full control of your computer and renders it unusable. It blocks the Task Manager, so you cannot end it’s process. If you do not enter your credit card number, your computer will shut down immediately.

For more information:

http://www.symantec.com/security_response/writeup.jsp?docid=2007-042705-0108-99&tabid=1
or
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9018645&source=NLT_PM&nlid=8

The storm worm remains very dangerous and is the most prolific SPAM in recent history.

It’s success is undoubtedly related to the clever social engineering that it uses to entice people to open the attached .zip file.

It warns the user that their computer is infected and their email will be cut off if they don’t install the attached “patch”.

Ironically, the “patch” actually installed the Storm Worm Trojan, and the user will indeed be infected.

For more info please refer to the Computer World article.

A critical vulnerability has surfaced the affects many Microsoft products including Windows XP and Vista, and most versions of Outlook, plus Internet Explorer 6 and 7.

This bug exploits a flaw in how many Microsoft products process animated cursors.

Hey, this is a bad one! And it is not just theoretical, it is already actively in use.

All you have to do is view an infected HTML email or Web page, and your computer can be instantly compromised..

By compromised we mean, “It’s not your computer anymore.”

Microsoft does not have a patch.* They recommend turning off HTML viewing in Outlook (unless you have Outlook 2007, which is not vulnerable.) And be cautions about unknown web pages.

Microsoft Security Advisory (935423)

Fortunately, a patch has been developed by the eEye Digital Security Corp. A description and link for the patch can be found at their web site:

http://research.eeye.com/html/alerts/zeroday/20070328.html

Due to the insidious nature of this vulnerability, we strongly recommend installing the patch.

Alternatively, use a non-Microsoft Browser and email viewer.

* Update: Microsoft has announced that is will be issuing a patch for this exploit on April 3rd, instead of waiting for it’s regular monthly update. Those who have automatic updates enabled should get it automatically. Those who don’t, should visit Windows Updates and Office Updates on April 3rd, and install the patch ASAP.

A massive storm that swept across Europe last week…

And then in it’s wake was a storm across the Internet – in the form a series of virus infected emails.

And reference our previous Post, clearly there is a serious lacking of “Street Smarts” among computer users because this virus spread like wildfire.  Check out the F-Secure video post on YouTube, and see for yourself.

All users are advised to update their anti-virus programs and use caution when opening email, and especially email that refers to current events in the news* and induces the recipient to open the attachment.  Some examples:

230 dead as storm batters Europe.
A killer at 11, he’s free at 21 and…
British Muslims Genocide
Naked teens attack home director.
U.S. Secretary of State Condoleezza…
  Russian missle shot down Chinese satellite
  Russian missle shot down USA aircraft
  Russian missle shot down USA satellite
  Chinese missile shot down USA aircraft
  Chinese missile shot down USA satellite
  Sadam Hussein alive!
  Sadam Hussein safe and sound!
  Radical Muslim drinking enemies’ blood.
  U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
  U.S. Southwest braces for another winter blast. More then 1000 people are dead.
  Venezuelan leader: “Let’s the War beginning”.
  Fidel Castro dead.
  Hugo Chavez dead.

The virus package that this email can load on your computer is nasty.  But users of infected computers may not even be aware that they are infected
Please note that this series of virus infected emails has a variety of subject lines and may contain several different attachments.

For more information, check out the F-Secure Blog.  They have posted a video of the infection spreading across the globe, and also provide detailed information as to the contents of this virus infected series of email.

* The latest variants have branches out into any number of subject lines:

  So in Love
  Happy World Religion Day!
  Most Beautiful Girl
  Someone at Last
  I Believe
  The Dance of Love
  The Miracle of Love
  All For You
  Vacation Love
  I am Complete
  Wrapped Up
  Moonlit Waterfall
  A Little (sex) Card
  A Special Kiss
  Hugging My Pillow
  Safe and Sound
  You’re Soo kissable
  A Romantic Place
  Breakfast in Bed Coupon
  For You
  I Love You So
  Safe and Sound
  Want to Meet?
  We Are Different
  We Have Walked
  You Asked Me Why

Please note that this virus may also have a rootkit component that most anti-virus programs are not able to detect or remove.  F-Secure’s Blacklight rootkit detector can detect and remove this rootkit.  This tool should be run on any computer that has become infected.  Blacklight can be downloaded from F-Secure via the following link: 

http://www.f-secure.com/blacklight/

- Practice Safe Computing