research the vector. close the
door.
|
|
|
2006 VECTORBLOG
December, 2006 waiting The work load after posting the DIACAP information has been a mixed blessing - work is good, good response is better, but with a small team, more work = less time to post the gratis papers. We again throw out the call to anyone with a paper to share.
August 6, 2006 there's more To add to the DIACAP paper that dropped in last week, there is a solid overview presentation all ready for your C&A transition efforts. Check out the DIACAP Overview page for the various formats of the slideshow, and grab the paper if you haven't already.
July 30, 2006 cross multiply With the high percentage of visitors that we have (as well as customers) in the US DoD sphere, it is only natural that a good deal of our non-malware time goes into such things as DIACAP. There's a new report tat many of you will want to investigate to get your DITSCAP knowledge freshened up (note to those unsure of what any of the following is about: don't worry, back to the regular news shortly).
To go with any new DIACAP program, there is a great tool offered by iassure to automate the scorecard process. If you are thinking about a DIACAP practice, check out their tool here. Note: it is currently under redesign to comply with this month's guidance.
July 21, 2006 tomato... We've been working on a project identifying what could be "unwanted but not malware" pieces of code on machines, things that anti-virus software doesn't/won't identify. If you have suggestions, please drop a line.
July 19, 2006 packaged All of the presentation research/slides from the "Sharing the Unverifiable" work is packaged up on the site now for your downloading pleasure. Check out the slides, additional papers, and a good overview of the research taken from Gordon's talk last week. Sharing the Unverifiable
July 7, 2006 new again Sometimes a little time away is all that's needed to get a fresh outlook. The site is back, just prior to Gordon's presentation at SANSFIRE. If you aren't going, check out the research here.
April 10, 2006 spring break If you have a short article or project you'd like to see on the site, we'd be happy to publish it. We will be taking an extended break for personal projects and a little time off. The Sharing the Unverifiable: Prediction Exchange work has been accepted for presentation at SANSFIRE in July, hope to see some of you there.
March 16, 2006 radio free __ The RFID virus story has made the rounds very quickly. That is surprising to me, as I didn't think that many people in the audience of most popular media would even know what RFID is, much less want to hear about the technical components. On the other hand, everyone likes to hear about a potentially devastating discovery in a technology being adopted by thousands of businesses. To be sure, the more conservative reports on this issue are in the right: there is no risk at the moment, the results of the study in question are based on unique lab conditions, and if there is a SQL-injection exploit for your database it should be fixed/could be exploited anyway. Not seen enough on this new vector? Here are a couple good links:
http://software.silicon.com/malware/0,3800003100,39157280,00.htm and the paper that started it: http://www.rfidvirus.org/papers/percom.06.pdf
March 15, 2006 out like a lamb Once again, a rather light month from Microsoft. Microsoft’s monthly release includes multiple fixes for their Office suite (5 Excel and one general Office patch rolled into a single update) and a fix for a problem which allows unprivileged users to take on the credentials of a running service. The advisories are summarized on the Microsoft Bulletin page and available as an XLS chart and CSV.
March 14, 2006 taxing the system One month to go in the US to get individual income taxes filed with the government. This time of year has seen its share of scams in the past, and this spring is no exception. In December, we reported an IRS-based scam floating around the email circles. In the last 4 weeks we have been tracking another phishing effort aimed at US taxpayers. Maybe you've seen it, the con indicates that you are owed $63.80 by the government. This simple ploy has been hosted on numerous continents (ironically, North America was not in the mix yet) and has been sent to untold millions of email boxes. The story, "Taxable Income" (and PDF version) takes a very interesting look at establishing and distributing a phishing network in addition to examining this particular scam.
March 13, 2006 McGaffe McAfee users may have noticed that lots of non-viral files have been snatched by their malware scanner. This problem is due to a bad pattern released recently. More information can be found at McAfee's site:
http://vil.nai.com/vil/content/v_138884.htm
March 8, 2006 lion and lamb Two reports today, in an effort to get things rolling again. One describes a very subtle, academic subject: the classification of patches as security or non-security related and how that affects the security discipline. There is also the greater question of how it will shape the profession as a whole. The article is called "Not Security Related" and can be found in Vectorspaces and as a PDF.
Second, we return to the Phishing Trip series that was popular last year with a report focusing on a sample we received using the Royal Bank of Canada as the subject. Email crime is an ever-evolving and seemingly ever-profitable enterprise. This article also explores a few ways companies may be able to help foil some of the criminals. This one is called "Phish Sticks" and is also a PDF (yes, another "ph"/phishing joke).
March 7, 2006 mail merge The following Trojan delivery email is built on the now tiresome "you have a postcard" email that has fooled a number of people into downloading and installing an IRC bot onto their machines. It takes a number of tricks from the spammers as well, utilizing the Bayesian filter beating random word insertion, HTML tagging, and somewhat better grammar to make what looks like a real letter (do not visit URL):
<title>You
have fun a (postcard).</title>
Malware authors are constantly borrowing tricks from other like-minded professionals, whether it's proof-of-concept code or broader strategies for email delivery. The Phishing Trip reports from 2005 examined this trend in detail, as will a few future articles to appear very soon.
March 6, 2006 medical leave As some of you know, the recent break from the blog was due to a stay in the hospital. All is back on track now and new articles are in the works.
February 17, 2006 broken up After another unforeseen break from the vectorblog (I apologize for the necessary delay), it is time for the Microsoft Security bulletins for February. The February set has a rather mixed bag of goodies for Windows administrators. None of the vulnerabilities looks especially scary - with the Media Player flaw the most likely for a short term mass-mailer or something similar. Even the IE roll-up doesn't affect XP/2003 users, meaning a widespread panic is unlikely.
Of the 7 releases, two are Critical the rest are Important. Check the affected versions of applications and language-based systems (i.e.: if you have the East Asian version of Windows, the Important rating for MS06-010 may seem too low). The list is available in Excel format as well as good old CSV.
January 27, 2006 old hat, new hat I had the opportunity to attend the Black Hat Federal conference, in Washington, DC. The presentations seemed to be additional evidence that the malware issues of the future will be defined by application specific code, such as the web server worms we have seen since Santy in December 2004. Fighting such threats will require a much better training for developers, testers, and administrators than in the past. Technical people are often the most resistant to such training, while they want to learn more about the coolest features of their craft, they are regularly loathe to add the "tedious" security checks to their creations. How is the best way to train application developers, are they the right people to aim at when hoping to add defense mechanisms to programs? Let us know at the vectorblog.
January 25, 2006 wheelie The Pinfi virus has been making the rounds for a while. Last year, Viruslist's Analyst's diary had a post about finding the parasite in some spyware downloaders - and they remarked it was likely an accident on the part of the coders. Today we post a report taking a quick peek at such infections. It's called Pinwheel, and is available as html and as a PDF.
The Viruslist citation: http://www.viruslist.com/en/weblog?discuss=167808398&return=1
January 17, 2006 and happy birthday Two years and no signs of stopping. The Beagle/Bagle worm turns 2 this week. That is an amazing lifespan for code that, in many ways, still looks very much like the mass mailer and companion Trojans that we saw in 2004. As readers of the site and the blog know, infectionvectors has produced a number of reports covering the malware - and the second birthday has not gone unnoticed. Released today is the fifth part of the Beagle History report: Cotton, China, and Bagles: The Second Anniversary of the Beagle Worm. The title is a nod to the traditional gifts for a wedding anniversary; as the writer notes in the References, the wedding of a successful mass mailer and the numerous complementary packages is worth taking a second look at. The report is available here and as a PDF. It has also been rolled into the complete PDF: "Years of the Beagle."
January 10, 2006 new year There are 3 new critical vulnerabilities in Microsoft products to kick off 2006. One is, of course, the much-hyped WMF patch which actually came out-of-cycle last week. All of the flaws can take the form of phishing-style attacks, should the criminal community be so inclined. There is already a good deal of malware for MS06-001, as noted in previous infectionvectors reports (as well as news media everywhere). As for 002, 003, there is nothing yet, but be on the lookout.
MS06-002 certainly has an intriguing hook: it can be used as part of an exploit that is triggered automatically by any Exchange Server that reads it. That would make it possible to craft something akin to Slammer for mail servers. It would be a slower worm, relying on SMTP instead of the UDP shotgun, but it would be more widespread – as so many more Exchange machines exist with an open connection to the public world than MS SQL servers.
The above struck me as I read the usually lengthy “Mitigating Factors” section of the bulletin. This time it just reads:
Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. quoted from MS06-002
That (plus the very long list of workarounds) makes me think this could be a serious problem that won’t see a lot of press until it pops (unlike the WMF handling goo from the last two weeks). As always, get the review here, the XLS roll-up here, and the CSV version right here.
January 9, 2006 riptide Caught in the swirl of unofficial patches from last week, the official early patch, and now the regular release cycle of patches? I bet it has been a great week for Windows admins. We'd love to hear the patch management stories from around the server farms of the world.
January 3, 2006 framed The WMF vulnerability is now on the plates of every administrator. If you are considering installing the 3rd-party patch endorsed by ISC and F-Secure, please consider the testing procedure and support implications (especially how they weigh against the impact of existing exploits).
A new report, Frames and Meta Frames, examines the flaw and exploits relating to the WMF tornado, but more importantly asks about the issues that this particular flaw begs us to examine - not the least of which is installing unsupported patches on a few thousand enterprise computers. It needs to be said that we are weighing an unsupported patch against a possible future exploit and its potential payload. That sounds like a proposition that won't win over too many CIOs - as it shouldn't.
The Frames and Meta Frames paper points out one very important point: the only infection vector right now is user interaction. That has been a popular mechanism for exploiting boxes for years - and there is no patch for mass mailers. If there was, Melissa probably would have flushed it out. Get the report here and in PDF format.
|
Copyright ©2006 infectionvectors.com. All rights reserved.
