Wednesday, January 25, 2006
A Sexy Worm?
It is the 3rd of the month. You finished a report late last night and want to give it a quick read to admire your prose and send it to management. You boot your computer and start your day's work. Nothing out of the ordinary. You review your file, have a cup of coffee, attach the file to an email and click "Send." First item on the "To Do" list, checked off. Then it starts.
You get a response from the president that she can't read the file you attached. This is an important file and data from it is needed immediately. You are asked to resend it, which you quickly do. Another call prompts you to look at the file, and it is garbage. You have a virus. Actually, it is a worm, but since your hard work, in the form of that Word file is destroyed, who is looking at definitions? "How could this be? I just looked at the file, it was fine and I didn't do anything on my PC between looking at the file, and sending it!"
Kama Sutra, well, that is the sexy name for it, is the culprit. But a virus/worm by any other name is just as destructive. It also known as W32/Generic.worm!p2p, W32/MyWife.d@MM, and Email-Worm.Win32.Nyxem.e.
You may have received an email with the subject of "Fw: image.jpg," "the file," "Re:," "Word file" or any of 19 others. Some are provocative and there is certainly a target market that is sought after. This worm, like most destructive files today, looks up email addresses in the files stored on your computer. These may be in your Contacts list, or email addresses in web page files cached in your memory that you didn't even know existed. It sends itself to many of these addresses so that it can grow. The sender's address is fictitious. The attachment to that one message was actually a destructive payload. The hidden executable file does several things:
In this case the author wants to know how well his worm is doing. So he set it up to go to a web page and that produces a "hit" when it finds a new home. The hit increases the counter which, as of Sunday Jan. 22, 2005 was at 539,261.
What do you do next? Get rid of the problem. You should have a virus protection program on your PC. It should be current and the virus definition file also needs to be current. These are two separate things. If you have the virus and you have the current software, consider a different program for protecting your files. Run a scan of your PC with a different program and delete the unwanted files and have it change your registry and other needed settings back the way they were. Resetting your system or installing a backup may only put the file there again, waiting for the 3rd of the next month to run itself all over again. Remember that many of your file types may have been destroyed, not just this one. But you have them backed up, right? Then, call home, and tell them “I'll be working late again tonight.”
Tech Links:
SARC
Symantec
SRNMicro
Softpedia
AuditMyPC
Articles:
Obscene Kama Sutra worm spreading via e-mail
New Kama Sutra Worm Corrupts Microsoft Documents
Kama Sutra worm ties security in knots
It is the 3rd of the month. You finished a report late last night and want to give it a quick read to admire your prose and send it to management. You boot your computer and start your day's work. Nothing out of the ordinary. You review your file, have a cup of coffee, attach the file to an email and click "Send." First item on the "To Do" list, checked off. Then it starts.
You get a response from the president that she can't read the file you attached. This is an important file and data from it is needed immediately. You are asked to resend it, which you quickly do. Another call prompts you to look at the file, and it is garbage. You have a virus. Actually, it is a worm, but since your hard work, in the form of that Word file is destroyed, who is looking at definitions? "How could this be? I just looked at the file, it was fine and I didn't do anything on my PC between looking at the file, and sending it!"
Kama Sutra, well, that is the sexy name for it, is the culprit. But a virus/worm by any other name is just as destructive. It also known as W32/Generic.worm!p2p, W32/MyWife.d@MM, and Email-Worm.Win32.Nyxem.e.
You may have received an email with the subject of "Fw: image.jpg," "the file," "Re:," "Word file" or any of 19 others. Some are provocative and there is certainly a target market that is sought after. This worm, like most destructive files today, looks up email addresses in the files stored on your computer. These may be in your Contacts list, or email addresses in web page files cached in your memory that you didn't even know existed. It sends itself to many of these addresses so that it can grow. The sender's address is fictitious. The attachment to that one message was actually a destructive payload. The hidden executable file does several things:
- on the 3rd day of each month, it runs itself
- it starts 30 minutes after you boot your PC
- it searches for the following file types, and replaces the contents with this text string, "DATA Error [47 0F 94 93 F4 K5]".
- .dmp – dump files
- .doc – Microsoft Word, Lotus Works files
- .mdb – Microsoft Access database
- .mde - Microsoft Access database
- .pdf – Adobe Acrobat
- .pps – Microsoft PowerPoint show
- .ppt – Microsoft PowerPoint file
- .psd – Adobe Photoshop
- .rar – compressed files (similar to ZIP)
- .xls – Microsoft Excel files
- .zip – compressed files
- .dmp – dump files
- it tries to disable your security and file sharing programs
In this case the author wants to know how well his worm is doing. So he set it up to go to a web page and that produces a "hit" when it finds a new home. The hit increases the counter which, as of Sunday Jan. 22, 2005 was at 539,261.
What do you do next? Get rid of the problem. You should have a virus protection program on your PC. It should be current and the virus definition file also needs to be current. These are two separate things. If you have the virus and you have the current software, consider a different program for protecting your files. Run a scan of your PC with a different program and delete the unwanted files and have it change your registry and other needed settings back the way they were. Resetting your system or installing a backup may only put the file there again, waiting for the 3rd of the next month to run itself all over again. Remember that many of your file types may have been destroyed, not just this one. But you have them backed up, right? Then, call home, and tell them “I'll be working late again tonight.”
Tech Links:
SARC
Symantec
SRNMicro
Softpedia
AuditMyPC
Articles:
Obscene Kama Sutra worm spreading via e-mail
New Kama Sutra Worm Corrupts Microsoft Documents
Kama Sutra worm ties security in knots
Friday, January 20, 2006
Phishing Illegal in California
A new law in California, SB 355, makes phishing a crime. The law, which takes effect in January, 2006, makes it unlawful for any person, through the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the approval or authority of the business. It provides for both civil remedies and civil penalties. Read the law.
A new law in California, SB 355, makes phishing a crime. The law, which takes effect in January, 2006, makes it unlawful for any person, through the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the approval or authority of the business. It provides for both civil remedies and civil penalties. Read the law.
Wednesday, January 18, 2006
Add OnGuard Online to Your Cybercrime-Fighting Arsenal
Hats off to the FTC, Department of Homeland Security, and their collection of online partners for creating an incredible free resource designed to educate the public about online risks. OnGuardOnline.gov says it "provides practical tips frrom the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information." It delivers what it promises in a big way!
Topics include Identity Theft, File Sharing, spyware, spam scams, phishing, online shopping and VOIP. There are excellent short streaming videos that address reducing scam, teaching kids to be safe online, and viruses and worms, and protecting privcy. There are also flash video tutorials on Security/Tools, spam filtering, spam reporting.
Don't miss the interactive activities. They are so well done! There are six different interactive quizzes. They are fun and effective.
We'll be helping to promote the new OnGuardOnline.gov site on the Ask a Banker forums on BOL, as well as in our collections of links. We encourage all financial institutions to add links to these resources on their Web sites. There's a section on the Web site where you can download the graphics to use. You can also order free copies of the "Stop - Think - Click" brochure, bookmark and poster for distribution to your customers. Keep in mind that you're not only helping your customers by being proactive about educating them about cyber dangers. Because of the loss-shifting provisions in many laws, the bottom line you protect may be your own!
Hats off to the FTC, Department of Homeland Security, and their collection of online partners for creating an incredible free resource designed to educate the public about online risks. OnGuardOnline.gov says it "provides practical tips frrom the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information." It delivers what it promises in a big way!
Topics include Identity Theft, File Sharing, spyware, spam scams, phishing, online shopping and VOIP. There are excellent short streaming videos that address reducing scam, teaching kids to be safe online, and viruses and worms, and protecting privcy. There are also flash video tutorials on Security/Tools, spam filtering, spam reporting.
Don't miss the interactive activities. They are so well done! There are six different interactive quizzes. They are fun and effective.
We'll be helping to promote the new OnGuardOnline.gov site on the Ask a Banker forums on BOL, as well as in our collections of links. We encourage all financial institutions to add links to these resources on their Web sites. There's a section on the Web site where you can download the graphics to use. You can also order free copies of the "Stop - Think - Click" brochure, bookmark and poster for distribution to your customers. Keep in mind that you're not only helping your customers by being proactive about educating them about cyber dangers. Because of the loss-shifting provisions in many laws, the bottom line you protect may be your own!
Tuesday, January 17, 2006
Y-12 is a credit union with 60,000 members in eight East Tennessee counties. A recent Microsoft security hole was detected and publicized. The patch was made available on January 6, 2006. Y-12 downloaded the patch, tested it and applied it system wide on the 9th, but not until after the security hole had been used against them.
From approximately 90 minutes, starting at 7 PM on the 9th, Y-12 customers logged into the Y-12 site and entered their user name and password. The hole allowed them to be redirected to a site based in Greece that would them prompt them for additional confidential information including credit card numbers and PINs. Many users knew they initiated the "conversation" and that they went to the correct site. It should have been odd that they were being prompted for this information, but many provided it.
A customer made Y-12 aware of the irregularity and the site was shut down. But this was not until about 30 customers had provided the confidential information and $70,000 was taken. ATM transactions have been seen across the U.S. and as far as Pakistan.
The core system at Y-12 wasn't exposed. This is a phishing variation that was successful for the bad guys seeking individual customer information. Regardless, Y-12 is making full reimbursement to their members and absorbing this loss. They realize it could have been much worse.
Ensure that your customers know what information you will, and will not, request from them. In this case, Y-12 has no record of PIN numbers. Requesting it would do the real Y-12 no good. If a new PIN was needed, a new one would be issued. But the staff have no knowledge of a member's PIN or any way to get it. Educate your customers.
From approximately 90 minutes, starting at 7 PM on the 9th, Y-12 customers logged into the Y-12 site and entered their user name and password. The hole allowed them to be redirected to a site based in Greece that would them prompt them for additional confidential information including credit card numbers and PINs. Many users knew they initiated the "conversation" and that they went to the correct site. It should have been odd that they were being prompted for this information, but many provided it.
A customer made Y-12 aware of the irregularity and the site was shut down. But this was not until about 30 customers had provided the confidential information and $70,000 was taken. ATM transactions have been seen across the U.S. and as far as Pakistan.
The core system at Y-12 wasn't exposed. This is a phishing variation that was successful for the bad guys seeking individual customer information. Regardless, Y-12 is making full reimbursement to their members and absorbing this loss. They realize it could have been much worse.
Ensure that your customers know what information you will, and will not, request from them. In this case, Y-12 has no record of PIN numbers. Requesting it would do the real Y-12 no good. If a new PIN was needed, a new one would be issued. But the staff have no knowledge of a member's PIN or any way to get it. Educate your customers.
Wednesday, January 04, 2006
Security Patches - Everyone's Business
* Vulnerability found in Windows and there's no official patch yet.
UPDATE: See below. A patch was issued 01-05-06, five days early.
* The Sober worm readies itself to launch another attack.
* Here is a collection of links to bring you up to speed on both.
Just as customer service and compliance are every employee's job, so is IT security. Your computers are networked, or chained together. And a chain is only as strong as its weakest link. Whether you have IT security in your job description or not, it is an inferred responsibility which cannot be taken lightly.
There is a lot of electronic press now about the Windows Meta File vulnerability. Whether you are using Windows XP with Service Pack 1 and 2 or Windows Server 2003, you are at risk. Older operating systems are also at risk. This isn't a user problem and it isn't necessarily affected by your anti-virus programs or firewalls. Certainly those two should be installed, updated and used. But the problem here is in the system. If a malicious image file is viewed in an email or on a web page, you could be infected. The Windows Meta File can execute malicious code, compromising your computer, your data, and your system itself.
The current situation addressing risks was discussed in the BOL threads beginning Dec. 28, 2005. Since then it has been all over the media, with risks and methods of intrusion being discussed.
With the publication of the vulnerability came dozens of attacks reportedly involving MSN Messenger worms and attempts to get users to sites with the malicious code. Microsoft has been downplaying this weakness and said users should wait for their security fix. The patch wasn't scheduled for release until the second Tuesday of the month, when all monthly patches are made available. Security experts have said you can't wait. There has been an unofficial fix and instructions on how to execute it on many sites for days, some of which are listed here. The decision to apply the informal fix, or to use your computer cautiously, depends on your expertise, risks and service contracts. Thankfully, Microsoft completed testing of the patch early and have uncharacteristically made this available as of Thursday afternoon. All users should apply the patch.
If you are interested in seeing a video on methods hackers use to get into computers, not necessarily the WMF vulnerability, look at the Fiberlink site. You can see first hand how easy it can be, especially when you leave the cyber door unlocked.
Sober Worm Set to Squirm Again
There is another threat on the immediate horizon. The Sober Worm has a new version that is idle on potentially thousands of computers and is ready to activate itself on January 5th or 6th, 2006. It is believed a release date of the 5th coincides with the anniversary of the 1919 founding of the Nazi party. Several variants of the Sober virus have tied to dates significant to the Nazi party.
Resources:
U.S. CERT - Technical Cyber Security Alert
Windows flaw spawns dozens of attacks
Wait for Windows patch opens attack window
Experts: Windows Flaw Can't Wait for Microsoft Fix
Microsoft preparing patch for Windows flaw
Links to Unofficial Patch Method
The next Sober virus attack
New Year Virus Filled with Nazi Propaganda
* Vulnerability found in Windows and there's no official patch yet.
UPDATE: See below. A patch was issued 01-05-06, five days early.
* The Sober worm readies itself to launch another attack.
* Here is a collection of links to bring you up to speed on both.
Just as customer service and compliance are every employee's job, so is IT security. Your computers are networked, or chained together. And a chain is only as strong as its weakest link. Whether you have IT security in your job description or not, it is an inferred responsibility which cannot be taken lightly.
There is a lot of electronic press now about the Windows Meta File vulnerability. Whether you are using Windows XP with Service Pack 1 and 2 or Windows Server 2003, you are at risk. Older operating systems are also at risk. This isn't a user problem and it isn't necessarily affected by your anti-virus programs or firewalls. Certainly those two should be installed, updated and used. But the problem here is in the system. If a malicious image file is viewed in an email or on a web page, you could be infected. The Windows Meta File can execute malicious code, compromising your computer, your data, and your system itself.
The current situation addressing risks was discussed in the BOL threads beginning Dec. 28, 2005. Since then it has been all over the media, with risks and methods of intrusion being discussed.
With the publication of the vulnerability came dozens of attacks reportedly involving MSN Messenger worms and attempts to get users to sites with the malicious code. Microsoft has been downplaying this weakness and said users should wait for their security fix. The patch wasn't scheduled for release until the second Tuesday of the month, when all monthly patches are made available. Security experts have said you can't wait. There has been an unofficial fix and instructions on how to execute it on many sites for days, some of which are listed here. The decision to apply the informal fix, or to use your computer cautiously, depends on your expertise, risks and service contracts. Thankfully, Microsoft completed testing of the patch early and have uncharacteristically made this available as of Thursday afternoon. All users should apply the patch.
If you are interested in seeing a video on methods hackers use to get into computers, not necessarily the WMF vulnerability, look at the Fiberlink site. You can see first hand how easy it can be, especially when you leave the cyber door unlocked.
Sober Worm Set to Squirm Again
There is another threat on the immediate horizon. The Sober Worm has a new version that is idle on potentially thousands of computers and is ready to activate itself on January 5th or 6th, 2006. It is believed a release date of the 5th coincides with the anniversary of the 1919 founding of the Nazi party. Several variants of the Sober virus have tied to dates significant to the Nazi party.
Resources:
U.S. CERT - Technical Cyber Security Alert
Windows flaw spawns dozens of attacks
Wait for Windows patch opens attack window
Experts: Windows Flaw Can't Wait for Microsoft Fix
Microsoft preparing patch for Windows flaw
Links to Unofficial Patch Method
The next Sober virus attack
New Year Virus Filled with Nazi Propaganda
