The DHS Daily Open Source
Infrastructure Report covers the publicly reported material for the preceding
day(s) not previously covered. This weekly summary provides a selection
of those items of greatest significance to the InfoSec professional.
Week Ending: Friday, June 26, 2009
Infrastructure Report for 22 June 2009
Are
you ready to adopt a Microsoft antivirus service – It is free?
37. June 18, CNET News – (International) Microsoft’s free antimalware beta on the way. Microsoft will launch a public beta of its anti-malware service, Microsoft Security Essentials, on June 23 as it phases out its Live OneCare suite in favor of a simpler free consumer security offering. Microsoft Security Essentials, which will run on Windows XP, Vista, and Windows 7, will be available in the U.S., Brazil, and Israel in English and Brazilian Portuguese. A public beta version for Simplified Chinese will be available later in the year. The service works like traditional antivirus products in which client software monitors programs on a PC. When something changes on the computer, such as files being downloaded or copied or software trying to modify files, the system checks against a set of malware signatures in the client program to see if the code matches the signature for known malware. If so, it blocks it from getting downloaded. If no signature match is found, the system will ping the server-based Dynamic Signature Service to see if any new signatures are available and, if so, it removes the malware. If it appears to be new malware, the Dynamic Signature Service may request a sample of the code in order to create a new signature. The service updates its anti-malware database constantly and publishes new antivirus signatures to Microsoft Update three times a day, the general manager of Microsoft’s Anti-Malware team said in an interview on June 18. Source: http://news.cnet.com/8301-1009_3-10268040-83.html
Infrastructure Report for 23 June 2009
It looks like Google may be on our
side!
30. June 19, Baltimore Examiner – (International) Google’s
online security helps fight malware. Google’s online security recently
started to identify web pages that infect computers via drive-by downloads,
i.e. web pages that attempt to exploit their visitors by installing and running
malware automatically. During that time they have investigated billions of URLs
and found more than three million unique URLs on over 180,000 web sites
automatically installing malware. Third-party content is one avenue for malicious
activity. Today, a lot of third-party content is due to advertising. In
Google’s analysis, they found that on average 2 percent of malicious web sites
were delivering malware via advertising. The underlying problem is that
advertising space is often syndicated to other parties who are not known to the
web site owner. In addition, Google’s security team also investigated the
structural properties of malware distribution sites. Some malware distribution
sites had as many as 21,000 regular web sites pointing to them. It was also
found that the majority of malware was hosted on web servers located in China.
Interestingly, Chinese malware distribution sites are mostly pointed to by
Chinese web servers. Google says they are constantly scanning their index for
potentially dangerous sites. Their automated search systems found more than
4,000 different sites that appeared to be set up for distributing malware by
massively compromising popular web sites. Source: http://www.examiner.com/x-11905-SF-Cybercrime-Examiner~y2009m6d19-Googles-online-security-helps-fight-malware
Infrastructure Report for 24 June 2009
Is
there a “Gumblar” in your future?
32. June 2, CNET News – (International) Thought
the Conficker virus was bad? Gumblar is even worse. ScanSafe, a computer
security firm, has been tracking the progress of the worm since its arrival on
the scene in March, according to CNET. Originally, the attack spread through
infectious code that was planted in hacked Web sites and then downloaded
malware from the gumblar.cn domain on to victims’ computers. But that was just
the opening salvo. As Web site operators cleaned their pages of the code,
Gumblar replaced the original material with dynamically generated Javascript
(Web site code that is created on the spot instead of being completely
determined beforehand — a key element of Web apps like Gmail) that is much
harder for security software to detect and remove. The evolved version also
went about adding new domains to the list of sources for downloading its
malware payload, including liteautotop.cn and autobestwestern.cn, and began
exploiting security holes in Flash and Adobe Reader. The worm also searches out
credentials for FTP servers (a method for uploading files to a Web site) on a
victim’s computer, using them to infect additional Web sites. It is not clear how
many sites Gumblar has infected, but security firms seem to agree that it
accounts for about 40 percent of all new malware infections right now.
According to ScanSafe in just the first two weeks of May over 3,000 Web sites
were compromised and spreading the worm. Most sites have been quick to clean up
the infections as best they can, but, even if all the infected pages were
removed, Gumblar would still have an army of infected PCs to inflict further
damage. Source: http://www.switched.com/2009/06/02/though-the-conficker-virus-was-bad-meet-gumblar/
Are you prepared for exploits of the
Microsoft “DirectShow” bug?
33. June 22, Computerworld – (International) Exploits of unpatched Windows bug will jump, says Symantec. An exploit of a still-unpatched vulnerability in Microsoft Windows XP and Server 2003 has been added to a multi-strike attack toolkit, Symantec said recently, a move that may mean attacks will increase soon. According to Symantec, an in-the-wild exploit of the DirectShow bug, which Microsoft acknowledged a month ago, has been added to at least one Web-based attack kit. “This will likely lead to wide-spread use in a short time,” said a researcher with Symantec’s security response group, in an entry posted to the company’s blog on June 19. Microsoft has not yet issued a fix for the DirectShow bug, which affects Windows 2000, XP and Server 2003, but not the newer Windows Vista or Server 2008. The flaw also does not affect the not-yet-released Windows 7. However, attacks leveraging the bug have been tracked since May, when Microsoft issued a security advisory and confirmed it had evidence of “limited, active attacks.” Unlike other recent exploits of Microsoft zero-days, vulnerabilities that have not been patched by the time attack code surfaces, the DirectShow attacks are not targeting specific individuals or organizations. “This is not a targeted attack, but is one of limited distribution,” a senior research manager with Symantec, said in a telephone interview. What caught researchers’ attention, added the manager, was that the DirectShow exploit piggybacked on a run-of-the-mill phishing attack. It is becoming more common that a phishing site, in this case a bogus log-in page for Microsoft’s Windows Live software, also hosts malware that tries to hijack PCs. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9134645
Infrastructure Report for 25 June 2009
Something we have known for
decades. Why can’t we convince senior
management?
35. June 24, MXLogic – (International) CISOs see
insiders as greatest ‘human threat’ to data security. The vast majority of
chief information security officers surveyed at a CISO summit in June said that
insiders are the greatest human threat to data security, while only 18 said
they are concerned about threats from external sources such as cybercriminals
and corporate spies. The survey by NetWitness Corporation and MIS Training
Institute revealed that 80 percent of CISOs and CSOs feel insiders are the
greatest human threat. A conference director at MIS Training Institute said the
survey findings are “alarming,” in that there is a “misperception that
traditional security approaches alone can protect against information leaks and
that some CISOs were not sure what they need for data protection or were not
planning to focus any money in that area this year.” Although CISOs are at
least thinking about insider threats, another recent survey of business
managers found that executives seemingly do not think about insider threats to
data security from ex-employees. A Courion Corporation survey revealed that 93
percent of business managers are confident that terminated employees pose no
risk to their network security, even though many have limited knowledge of the
systems to which their employees have access. Source: http://www.mxlogic.com/securitynews/network-security/cisos-see-insiders-as-greatest-human-threat-to-data-security132.cfm
Infrastructure Report for 26 June 2009
An
innovative virus distribution mechanism.
Are you blocking it?
28. June 23, Red Condor – (International) Red
Condor’s Spam Trip Wire detects new virus. Red Condor’s Spam Trip Wire
feature instantly detected and blocked a new email virus campaign designed to
scare email users with bogus legal action for activities including illegal
music downloads. The virus campaign detected on June 22 calls attention to
users’ supposed recent activity at sites commonly used to share and download
copyrighted movies, music and software. The email content threatens recipients
with legal action and includes a link to a “log report” that is actually a
virus executable. Red Condor created a filtering rule and distributed the added
security to its security appliance and hosted service customers around the
world. Source: http://www.enterprise-security-today.com/story.xhtml?story_id=67361
Note: The DHS only maintains the last ten days
of their reports online. To obtain copies of earlier reports or complete
summaries, go to:
http://dhs-daily-report.blogspot.com/