3. March 2010 by Myke.

Microsoft released a new security advisory regarding Internet Explorer on a Windows 2000 or XP system. To exploit the vulnerability,a malicious site reaches through the web browser by using VBScript and accesses “inherently unsafe” Windows Help files.

To complete the attack, a user must push F1.

The article at PC World suggests users to log off Windows or close Internet Explorer via Windows Task manager when a site prompts a user to hit F1.

Posted in Security, Microsoft | No Comments »

14. February 2010 by Myke.

“…oops I did it again…”  No we are not going to discuss Britney Spears but some folks at Microsoft are scrambling for answers after a serious update failure.  The MS10-015  update bulletin is causing some systems to lock up and then during the boot up they BSOD into a never ending boot cycle.  Ouch.

Here is the crazy part of the equation, some systems do just fine.  I have tested the updates on 10 workstations and 4 have crashed out and died while the other 6 were perfectly fine.  I need to clarify one piece though, each of these systems are exactly the same…EXACTLY.  Each one is a virtual desktop with the exact same applications, updates and I used the exact same disc to build the machines.  I ran updates on all 10 systems one at a time.

On the four dead systems here is what I did to repair them.

• Boot from your Windows XP CD or DVD and start the recovery console
• Once at the repair screen - Type this command: CHDIR $NtUninstallKB977165$\spuninst and hit ENTER
• Type this command: BATCH spuninst.txt and hit ENTER
• Type this command: systemroot and hit ENTER
• When complete, type this command: exit and hit ENTER

Of course this may or may not fix your system, but so far it has worked for my dead test systems.

Confused?  You are not alone on this one.  Folks have been trying to figure out what happened and everyone seems to be testing this like crazy.  My final thought on the issue…TOO MANY security fixes and tweaks in one bulletin.  Each time Microsoft tries to update systems with a large amount of security fixes and tweaks it seems like they get a large amount of failures.  Seems like they should have broke this months updates into 2 for the month…which they have done before.

Other related stories on this issue.
MS update gives some XP boxes the Blue Screen
New Patches Cause BSoD for Some Windows XP Users

Microsoft Blog post on this issue.
Restart issues after installing MS10-015

Microsoft’s workaround for this issue.
Microsoft Security Advisory: Vulnerability in Windows Kernel could allow elevation of privilege

As always, enjoy your updating and let us know if you encounter any other nasty issues.

posted by: Myke Reinhold

Posted in Security, Microsoft, Desktops, Laptops | No Comments »

21. December 2009 by Myke.

Everyone knows that surfing the web can/is/will always be a dangerous thing to do.  As a systems engineer/administrator we always have the task of protecting end users who are educated on the security risks and the end users who have no clue at all.  No matter how much knowledge you have as an end user you can always get hit by doing something very innocent on the Internet.  But what can be done to help prevent this?  For myself, I registered with the elite group over at MalwareURL and started importing their database into my firewall.  Now this does not protect me 100% but it sure helps to say the least.  To date they have 33,944 domains listed and 8,787 IP addresses listed.

Here are the two best reasons to check out MalwareURL.  First of all, you can use their information to infect a virtual/physical machine to practice clearing out nasty little bugs and teaching yourself how to reverse engineer problems.  Just remember to infect a test machine, not a production box.  Second, you can also report any sites you find that are not listed yet.  This helps build the database and the best way for us to protect ourselves is to share information with each other.

Posted in Security | No Comments »

24. July 2009 by Myke.

Enable-ExchangeCertificate : The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:27
+ Enable-ExchangeCertificate <<<< -Thumbprint XXXXXXXXX -Services “IIS”

The above error is a result of a glitch with Exchange 2007. This issue does not happen all the time as it is completely random, but when it does happen no certificate can be installed or removed through the Exchange Management Shell (EMS). For whatever reason it may be, the system forgets where it placed the Private Key or the certificate store is damaged.

Repair Damaged Certificate Store:

1) Open MMC (Microsoft Management Console) to the Certificate Manager (Certificates Snap-in) for the Local Computer account.
2) Double-Click on the recently imported certificate (It will be missing the golden key).
3) Go to the Details tab.
4) Click on the Serial Number field and copy down that number. (Leave window open)
5) Open up the command prompt (DOS Prompt — CMD.exe)
6) Type: certutil -repairstore my “SerialNumber”( SerialNumber is that what was copied down in step 4.)
7) After running the command, go back to the MMC and right-click Certificates and select “Refresh”.
One should now see the golden key associated with the certificate.
9) Double-check in the Exchange Power Shell with: Get-ExchangeCertificate

Alternatively if the above does not work try the following:
Note: Follow these steps if running Windows Server 2008 only

1) Open MMC (Microsoft Management Console) to the Certificate Manager for the Local Computer account. (Certificates Snap In)
2) Look in the Personal section of the Certificate Manager and there should be icon(s) without a little golden key. (Those with the key have the private key bonded to them.)
3) Delete the icons without the golden key.
4) Go back to the EMS.
5) Run the Import-ExchangeCertificate and Enable-ExchangeCertificate in one line like so: [ Import-ExchangeCertificate -Path c:\exchange.comodo.com.crt | Enable-ExchangeCertificate -Services “SMTP, IMAP, IIS, POP” ]
*** Please modify the command according to your needs. ***

Posted in Security, Exchange, Microsoft | No Comments »

29. March 2009 by Myke.

There is a ton of buzz all over the media world about this worm and what it will do and how to tell if you have.  As complex as this worm is, it is also very simple to determine if you have it or not.

Step 1 - If you have Automatic Updates turned on, check to see if it is now turned off.  These reason is that this worm actually turns off updates to protect itself.

Step 2 - Manually run Microsoft Updates.  If you can run updates manually on your computer then you are okay.  This worm will actually prevent you from connecting to the update sites.

Now that we know how to check for it, how do you prevent it.  Very simple.  Keep your computer updated and make sure your anti-virus software is running and current.

What do you do if you have this worm?  You will want to contact your anti-virus software vendor and see if they can help you out.  If not and they want to charge you an arm and a leg, give it a go yourself.  There is a couple very easy to use and free tools you can use to remove it but it will take some patience.

• Malwarebytes Anti-Malware - You can grab this GREAT tool from www.malwarebytes.org.
• LavaSoft Ad-Aware - You can grab this great little removal tool from www.lavasoft.com.

Now that you have a couple of removal tools, start running them and cleaning.  A great tip is to update both pieces of this software and then run them from Safe Mode with your computer not on the network/Internet.

Good luck and happy hunting, so to speak.

Posted in Networking, Internet, Registry, Scripting, Security, Technical Questions, Laptops, Desktops, Microsoft, General Hardware, Servers | No Comments »

8. March 2009 by Myke.

Thanks to the folks over at the Register for this information.

Researchers at Symantec have discovered what could be a significant development in the ongoing Conficker worm saga: a new module that is being pushed out to some infected systems.

In a couple of ways, the new component is designed to harden infected machines against an industry consortium that is actively trying to contain the prolific worm. For one, the update targets antivirus software and security analysis tools to prevent them from removing the malware. Not only does it try to disable anti-malware titles, it also goes after programs such as Wireshark and regmon.

And for another, it also greatly expands the number of domain names infected machines contact on a daily basis.

Up to now, a pseudo random domain name generator produced 250 addresses that infected machines reported to each day. The industry consortium, dubbed the Conficker cabal, responded by cracking the algorithm and snapping up those domains ahead of the malware authors to prevent the infected machines from sustaining further damage.

The new component ups the ante by increasing the number of domains to 50,000 per day.

“It’s clearly trying to work around the work of the cabal,” Vincent Weafer, vice president of Symantec Security Response, told The Register.

So far, Symantec has been able to confirm delivery of the new component to only a handful of machines. Symantec researchers are in the process of determining if the updates are just the beginning of what will eventually be pushed out to infected machines everywhere, but either way, this appears to be the first time the malware authors have actually pushed out an update. Up to now the machines have phoned home but never received a reply.

“That’s what makes this interesting, because this is what we believe is the first example of receiving an answer to that call,” Weafer said. “Today is the very first case of that being successful.”

Estimates of the number of machines infected by Conficker vary, from hundreds of thousands to more than 10 million. Weafer and other security researchers have said Conficker’s growth has slowed over the past few weeks. That suggests its authors may be more focused on protecting the machines they’ve already vanquished than claiming new ones.

posted by: Myke Reinhold
source: The Register

Posted in Internet, Security | No Comments »

1. March 2009 by Myke.

Source of story - The Register

Facebook has again been attacked by a Spamming Malware file, which tells us that the popularity of Facebook is growing very fast.  The Facebook user receives a notification that their account is in violation of Facebook rules.  Their is a link to the violation which then attacks the computer and then posts the same message to all of their friends on Facebook.  The link is listed as “f a c e b o o k - - closing down!!!”.  This is now the second attack in less than a week.

Folks, if you use Facebook you need to use some common sense.  Remember, if you do not know the person ignore it. 
Screenshots from Trendmicro

Video feed of another Facebook Malware attack

There is a lesson to be learned folks. Do not install anything from any site you do not know or recognize.

Posted in Internet, Security | No Comments »

30. January 2009 by Myke.

Sexual performance enhancers and pharmaceuticals were the most common subjects used by spam in 2008

GLENDALE, Calif., Jan. 28, 2009 ” PandaLabs, Panda Security’s malware analysis and detection today revealed the results from its analysis on 430 million email messages from 2008 and discovered that only 8.4 percent of messages that reached companies were legitimate. Some 89.88 percent of messages were spam, while 1.11 percent were infected with some type of malware. This data has been compiled after the analysis by TrustLayer Mail, the clean mail managed service from Panda Security.

Only January 2008 witnessed levels of spam below 80 percent. The amount of spam fluctuated throughout the year, peaking in the second quarter at 94.27 percent of all mail reaching companies.

With respect to infected messages in 2008, the Netsky.P worm was the most frequently detected malicious code. This type of malware activates automatically when users view the infected message through the Microsoft Office Outlook preview pane. It does this by exploiting a vulnerability in Internet Explorer that allows automatic execution of email attachments. The exploit of this vulnerability was detected by PandaLabs as Exploit/iFrame and was the third most frequently detected type of malware in emails by TrustLayer Mail.

“The fact that these two malicious codes often act in unison explains the high number of detections of both,” said Luis Corrons, Technical Director of PandaLabs. “Cyber crooks often launch several strains of malware with each exploit to increase the chances of infection, so even if users whose systems are up-to-date are immune to the exploit, they could still fall victim to infection by the worm if they run the attachment.”

The Rukap.G backdoor Trojan, designed to allow attackers to take control of a computer, and the Dadobra.Bl Trojan were also among the most prevalent malicious code.

Top Malware in email Netsky.P.worm Bck/Rukap.G Exploit/iFrame Trj/Dadobra.BL Generic Malware Trj/Downloader.PSJ Trj/SpamtaLoad.DO Trj/Downloader.PWR Bck/Haxdoor.PL Trj/Spamtaload.DZ

“For companies, spam is more than just a nuisance. It consumes bandwidth, wastes employees’ time and can even cause system malfunctions. In the end, it all results in a loss of productivity,” adds Luis Corrons.

Much of this spam was circulated by the extensive network of zombie computers controlled by cyber-crooks. A zombie is a computer infected by a bot, a type of malware allowing cyber criminals to control infected systems. Frequently, these computers are used as a network to drive malicious actions such as the sending of spam. Just in the last three months of the year, 301,000 zombie computers were being put into action every day.

Spam subjects in 2008

With respect to the different types of spam in circulation, 32.25 percent of spam in 2008 was related to pharmaceutical products with sexual performance enhancers accounting for 20.5 percent.

Spam relating to the economic situation also grew significantly throughout 2008. False job offers and fraudulent diplomas accounted for 2.75 percent of all junk mail in the year, while messages promoting mortgages and fake loans were responsible for 4.75 percent.

Spam promoting fake brand products, such a swatches, was responsible for 16.75 percent of the total. This last category nevertheless, dropped from 21 percent in the first half of the year to 12.5 percent in the last six months. To view an entire breakdown of the variety of spam subjects that PandaLabs discovered, please access the data here: http://www.flickr.com/photos/panda_security/3234535186/

About PandaLabs Since 1990, its mission has been to detect and eliminate new threats as rapidly as possible to offer our clients maximum security. To do so, PandaLabs has an innovative automated system that analyzes and classifies thousands of new samples a day and returns automatic verdicts (malware or goodware). This system is the basis of collective intelligence, Panda Security’s new security model which can even detect malware that has evaded other security solutions. Currently, 94 percent of malware detected by PandaLabs is analyzed through this system of collective intelligence. This is complemented through the work of several teams, each specialized in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc), working 24/7 to provide global coverage. This translates into more secure, simpler and more resource-friendly solutions for clients. More information is available in the PandaLabs blog: http://www.pandalabs.com and the Panda Security website: www.pandasecurity.com/usa.

Posted in Spam, Internet, Security, Exchange | No Comments »

30. January 2009 by Myke.

Black Hat researcher will show how the bad guys can use a database’s own features against it

A database security researcher will demonstrate at next month’s Black Hat DC how an attacker who breaks into a SQL Server database can cover his tracks using antiforensics techniques.

Cesar Cerrudo, lead researcher for Application Security’s Team SHATTER, and founder and CEO of Argeniss, says he will show a proof-of-concept that circumvents forensics investigations by abusing some inherent features in the database. “If the attacker has done a good job of removing his tracks, then it becomes pretty difficult to determine what was done, how it was done, why, and by whom,” Cerrudo says.

So far, Cerrudo says he hasn’t seen any database attacks that have gone to the next level like this yet. “But as criminal hacking is rapidly growing, and databases are where the juicy stuff is saved, in the future we will start to see more and more sophisticated attacks,” he says, especially since many big breaches are the result of database hacks.

And in the current economic climate, the risk of an insider attack is even higher. The financial pressures of a possible layoff or otherwise could entice a database operator to go rogue. “The main point of this research is that if you don’t properly protect database servers, soon or later you will get hacked and probably lose millions of dollars,” he says.

Although Cerrudo’s research focuses on SQL Server, any database could be hacked and manipulated with antiforensics, he says. Among the database features that the bad guys can use for nefarious purposes are the ability to load external libraries or binary code, which can manipulate the server itself. Buffer overflow attacks are another way to do so as well, according to Cerrudo.

All it takes is for an attacker to gain database administrative privileges — which is not difficult if the database isn’t locked down properly — by exploiting a vulnerability in the database or stealing the credentials via a Trojan or brute-force hacking, for instance.

“Once you have enough privileges, you can do anything on any database server. This includes loading code to database server memory, [and] then this code can manipulate all functionality and let the attacker perform any actions” on the database he wants, Cerrudo says.

If the database hack using antiforensics is detected, some of the damage can be discovered by forensics, such as stolen data or changes made to the data stored in the database, for instance. But how it was hacked or who did it would remain a mystery, he says.

An attacker who infiltrates a database can even frame another person for the attack using antiforensics techniques. “One of the scary things about these antiforensics techniques is that the attacker can point investigators in the wrong way by making it look like another person performed the attack,” Cerrudo says.

The attacker could leave behind phony tracks that incriminate the victim organization’s database administrator so that when the forensics investigators do their work, all evidence leads to the database admin rather than the real culprit. “Without logs or [with] confusing logs, investigation becomes harder, the evidence is not enough, and in order to find the real culprit you must find real evidence that points to him,” Cerrudo days.

How can an organization protect itself from such an attack? “Nowadays, using a third-party monitoring mechanism should be a must since built-in security mechanisms can’t protect [the database] once the attacker has enough permissions,” he says.

Cerrudo also recommends regular database patching, strong passwords, and periodic database vulnerability scans.

Posted in SQL, Security, Servers | No Comments »

30. January 2009 by Myke.

IT Worker Indicted For Setting Malware Bomb At Fannie Mae

IT contractor deployed highly malicious script before his administrative rights were terminated

A former IT contractor at Fannie Mae, angry at being terminated in October, has been thwarted in his attempt to crash all 4,000 servers at the mortgage services institution and wipe out all of their data.

According to a report from the U.S. Department of Justice, a federal grand jury in Maryland has indicted Rajendrasinh Babubhai Makwana, a contractor working at Fannie Mae’s Urbana, Md., facility, for transmitting a malicious script to the company’s servers.

The malicious code, which was set to execute on Jan. 31, was designed to propagate throughout the Fannie Mae network and destroy all of the company’s data, the DoJ says.

According to court documents, Makwana — who was employed by OmniTech, a third-party contractor that handles server administration for Fannie Mae — was censured by management on Oct. 10 after unintentionally distributing a server script without authorization. The documents suggest the mistake was so egregious that Makwana probably knew he would be fired, although his administrative rights were not revoked until hours after his official termination on Oct. 24.

Apparently, Makwana had been busy before he was kicked off the system. On Oct. 29, five days after Makwana had left the company, a senior Unix engineer found a malicious script buried in a legitimate script that validates the storage area network connections among the company’s 4,000 servers every morning at 9 a.m. A page break had been inserted between the malicious script and the legitimate script, making it less obvious.

The malicious script was set to execute multiple tasks, all of them bad. First, it would wipe out all of the passwords on the servers, effectively locking administrators out. Then it would build a list of all servers that contained Fannie Mae data and wipe out all of the data, replacing it with zeros. This would also destroy the backup software on the servers, making the restoration of data more difficult because new operating systems would have to be installed on all servers before any restoration could begin, the court documents say.

The script would also remove all “High Availability” software from any critical server, the complaint continues. Then it would power off all servers, disabling the ability to remotely turn on a server. After the second run-through, the script would remove all of the files on the current host and try to zero out the root file system.

“Had this malicious script executed, [Fannie Mae] engineers expect it would have caused millions of dollars of damage and reduced, if not shut down, operations at [Fannie Mae] for at least one week,” the complaint says. “If this script were executed, the total damage would include cleaning out and restoring all 4,000 [Fannie Mae] servers, restoring and securing the automation of mortgages, and restoring all data that was erased.”

Makwana faces a maximum sentence of 10 years in prison. He had his initial appearance in federal district court on Jan. 6, following the filing of the complaint. Arraignment is scheduled for Jan. 30, 2009.

Industry experts warn that such exploits may become more common as the economy forces companies to lay off an increasing number of employees. Enterprises should be careful to terminate all data and administrative access rights for the affected employees before they have the opportunity to act in retribution, the experts warn.

Posted in Security, Servers, Storage | No Comments »