15. June 2010 by Myke.

Microsoft issued a new Security Advisory for a flaw in the Windows Help and Support Center as reported by Ars Technica. The vulnerability only affects Windows XP and Server 2003, Vista and 7 are unaffected.

The worry with this vulnerability is that the help links in the Help Center can be hijacked to run executables on the victim’s computer. The details of the vulnerability and possible attack are as follows:

In Windows XP and Windows Server 2003, clicking on an hcp:// link launches helpctr.exe via a registered protocol handler; this is normally a safe way to launch help content thanks to an allow list that Help and Support Center checks before navigating to a given help page. A Google security researcher discovered, however, that a help page with a cross-site scripting vulnerability can be paired with a mechanism to abuse the allow-list functionality to access that page with an exploit querystring. Thus, clicking on a malicious hcp:// link leverages the XSS vulnerability to circumvent helpctr.exe’s safety controls and ultimately run an arbitrary executable on the machine.

Microsoft says that they are monitoring the problem and is so far unaware of any attacks in the wild. They may prepare a patch for the next Patch Tuesday or it could come earlier. Microsoft has outlined some mitigating factors which are also in the Security Advisory.

• The first is that if the attack is web-based the attacker would host a web page to exploit the vulnerability or host advertisements on another website. Victims can’t be required to visit the pages and the hacker would try to get people to visit with social engineering tactics like emails.
• The vulnerability can’t be manipulated directly from an email, the user would have to click a link.
• A hacker that successfully executed the attack could gain the same user rights as the user logged in. If users aren’t logged in as an admin the damage could be lessened.

Microsoft has one workaround where the registry is edited to unregister the HCP protocol. They detail two methods of doing this in the Security Advisory but they warn that after editing the registry it will obviously break all help links that use HCP.

This vulnerability was discovered by Google who alerted Microsoft to the problem on June 5 and then turned around and kindly disclosed it to the public on June 9. Microsoft was none too happy with Google about that and said:

Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk.

Posted in Security, General Hardware, Microsoft, Desktops, Laptops | No Comments »

3. March 2010 by Myke.

Microsoft released a new security advisory regarding Internet Explorer on a Windows 2000 or XP system. To exploit the vulnerability,a malicious site reaches through the web browser by using VBScript and accesses “inherently unsafe” Windows Help files.

To complete the attack, a user must push F1.

The article at PC World suggests users to log off Windows or close Internet Explorer via Windows Task manager when a site prompts a user to hit F1.

Posted in Security, Microsoft | 1 Comment »

14. February 2010 by Myke.

“…oops I did it again…”  No we are not going to discuss Britney Spears but some folks at Microsoft are scrambling for answers after a serious update failure.  The MS10-015  update bulletin is causing some systems to lock up and then during the boot up they BSOD into a never ending boot cycle.  Ouch.

Here is the crazy part of the equation, some systems do just fine.  I have tested the updates on 10 workstations and 4 have crashed out and died while the other 6 were perfectly fine.  I need to clarify one piece though, each of these systems are exactly the same…EXACTLY.  Each one is a virtual desktop with the exact same applications, updates and I used the exact same disc to build the machines.  I ran updates on all 10 systems one at a time.

On the four dead systems here is what I did to repair them.

• Boot from your Windows XP CD or DVD and start the recovery console
• Once at the repair screen - Type this command: CHDIR $NtUninstallKB977165$\spuninst and hit ENTER
• Type this command: BATCH spuninst.txt and hit ENTER
• Type this command: systemroot and hit ENTER
• When complete, type this command: exit and hit ENTER

Of course this may or may not fix your system, but so far it has worked for my dead test systems.

Confused?  You are not alone on this one.  Folks have been trying to figure out what happened and everyone seems to be testing this like crazy.  My final thought on the issue…TOO MANY security fixes and tweaks in one bulletin.  Each time Microsoft tries to update systems with a large amount of security fixes and tweaks it seems like they get a large amount of failures.  Seems like they should have broke this months updates into 2 for the month…which they have done before.

Other related stories on this issue.
MS update gives some XP boxes the Blue Screen
New Patches Cause BSoD for Some Windows XP Users

Microsoft Blog post on this issue.
Restart issues after installing MS10-015

Microsoft’s workaround for this issue.
Microsoft Security Advisory: Vulnerability in Windows Kernel could allow elevation of privilege

As always, enjoy your updating and let us know if you encounter any other nasty issues.

posted by: Myke Reinhold

Posted in Security, Microsoft, Desktops, Laptops | No Comments »

21. December 2009 by Myke.

Everyone knows that surfing the web can/is/will always be a dangerous thing to do.  As a systems engineer/administrator we always have the task of protecting end users who are educated on the security risks and the end users who have no clue at all.  No matter how much knowledge you have as an end user you can always get hit by doing something very innocent on the Internet.  But what can be done to help prevent this?  For myself, I registered with the elite group over at MalwareURL and started importing their database into my firewall.  Now this does not protect me 100% but it sure helps to say the least.  To date they have 33,944 domains listed and 8,787 IP addresses listed.

Here are the two best reasons to check out MalwareURL.  First of all, you can use their information to infect a virtual/physical machine to practice clearing out nasty little bugs and teaching yourself how to reverse engineer problems.  Just remember to infect a test machine, not a production box.  Second, you can also report any sites you find that are not listed yet.  This helps build the database and the best way for us to protect ourselves is to share information with each other.

Posted in Security | 1 Comment »

24. July 2009 by Myke.

Enable-ExchangeCertificate : The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:27
+ Enable-ExchangeCertificate <<<< -Thumbprint XXXXXXXXX -Services “IIS”

The above error is a result of a glitch with Exchange 2007. This issue does not happen all the time as it is completely random, but when it does happen no certificate can be installed or removed through the Exchange Management Shell (EMS). For whatever reason it may be, the system forgets where it placed the Private Key or the certificate store is damaged.

Repair Damaged Certificate Store:

1) Open MMC (Microsoft Management Console) to the Certificate Manager (Certificates Snap-in) for the Local Computer account.
2) Double-Click on the recently imported certificate (It will be missing the golden key).
3) Go to the Details tab.
4) Click on the Serial Number field and copy down that number. (Leave window open)
5) Open up the command prompt (DOS Prompt — CMD.exe)
6) Type: certutil -repairstore my “SerialNumber”( SerialNumber is that what was copied down in step 4.)
7) After running the command, go back to the MMC and right-click Certificates and select “Refresh”.
One should now see the golden key associated with the certificate.
9) Double-check in the Exchange Power Shell with: Get-ExchangeCertificate

Alternatively if the above does not work try the following:
Note: Follow these steps if running Windows Server 2008 only

1) Open MMC (Microsoft Management Console) to the Certificate Manager for the Local Computer account. (Certificates Snap In)
2) Look in the Personal section of the Certificate Manager and there should be icon(s) without a little golden key. (Those with the key have the private key bonded to them.)
3) Delete the icons without the golden key.
4) Go back to the EMS.
5) Run the Import-ExchangeCertificate and Enable-ExchangeCertificate in one line like so: [ Import-ExchangeCertificate -Path c:\exchange.comodo.com.crt | Enable-ExchangeCertificate -Services “SMTP, IMAP, IIS, POP” ]
*** Please modify the command according to your needs. ***

Posted in Security, Exchange, Microsoft | 1 Comment »

29. March 2009 by Myke.

There is a ton of buzz all over the media world about this worm and what it will do and how to tell if you have.  As complex as this worm is, it is also very simple to determine if you have it or not.

Step 1 - If you have Automatic Updates turned on, check to see if it is now turned off.  These reason is that this worm actually turns off updates to protect itself.

Step 2 - Manually run Microsoft Updates.  If you can run updates manually on your computer then you are okay.  This worm will actually prevent you from connecting to the update sites.

Now that we know how to check for it, how do you prevent it.  Very simple.  Keep your computer updated and make sure your anti-virus software is running and current.

What do you do if you have this worm?  You will want to contact your anti-virus software vendor and see if they can help you out.  If not and they want to charge you an arm and a leg, give it a go yourself.  There is a couple very easy to use and free tools you can use to remove it but it will take some patience.

• Malwarebytes Anti-Malware - You can grab this GREAT tool from www.malwarebytes.org.
• LavaSoft Ad-Aware - You can grab this great little removal tool from www.lavasoft.com.

Now that you have a couple of removal tools, start running them and cleaning.  A great tip is to update both pieces of this software and then run them from Safe Mode with your computer not on the network/Internet.

Good luck and happy hunting, so to speak.

Posted in Networking, Internet, Registry, Scripting, Security, Technical Questions, Laptops, Desktops, Microsoft, General Hardware, Servers | 1 Comment »

8. March 2009 by Myke.

Thanks to the folks over at the Register for this information.

Researchers at Symantec have discovered what could be a significant development in the ongoing Conficker worm saga: a new module that is being pushed out to some infected systems.

In a couple of ways, the new component is designed to harden infected machines against an industry consortium that is actively trying to contain the prolific worm. For one, the update targets antivirus software and security analysis tools to prevent them from removing the malware. Not only does it try to disable anti-malware titles, it also goes after programs such as Wireshark and regmon.

And for another, it also greatly expands the number of domain names infected machines contact on a daily basis.

Up to now, a pseudo random domain name generator produced 250 addresses that infected machines reported to each day. The industry consortium, dubbed the Conficker cabal, responded by cracking the algorithm and snapping up those domains ahead of the malware authors to prevent the infected machines from sustaining further damage.

The new component ups the ante by increasing the number of domains to 50,000 per day.

“It’s clearly trying to work around the work of the cabal,” Vincent Weafer, vice president of Symantec Security Response, told The Register.

So far, Symantec has been able to confirm delivery of the new component to only a handful of machines. Symantec researchers are in the process of determining if the updates are just the beginning of what will eventually be pushed out to infected machines everywhere, but either way, this appears to be the first time the malware authors have actually pushed out an update. Up to now the machines have phoned home but never received a reply.

“That’s what makes this interesting, because this is what we believe is the first example of receiving an answer to that call,” Weafer said. “Today is the very first case of that being successful.”

Estimates of the number of machines infected by Conficker vary, from hundreds of thousands to more than 10 million. Weafer and other security researchers have said Conficker’s growth has slowed over the past few weeks. That suggests its authors may be more focused on protecting the machines they’ve already vanquished than claiming new ones.

posted by: Myke Reinhold
source: The Register

Posted in Internet, Security | No Comments »

1. March 2009 by Myke.

Source of story - The Register

Facebook has again been attacked by a Spamming Malware file, which tells us that the popularity of Facebook is growing very fast.  The Facebook user receives a notification that their account is in violation of Facebook rules.  Their is a link to the violation which then attacks the computer and then posts the same message to all of their friends on Facebook.  The link is listed as “f a c e b o o k - - closing down!!!”.  This is now the second attack in less than a week.

Folks, if you use Facebook you need to use some common sense.  Remember, if you do not know the person ignore it. 
Screenshots from Trendmicro

Video feed of another Facebook Malware attack

There is a lesson to be learned folks. Do not install anything from any site you do not know or recognize.

Posted in Internet, Security | No Comments »

30. January 2009 by Myke.

Sexual performance enhancers and pharmaceuticals were the most common subjects used by spam in 2008

GLENDALE, Calif., Jan. 28, 2009 ” PandaLabs, Panda Security’s malware analysis and detection today revealed the results from its analysis on 430 million email messages from 2008 and discovered that only 8.4 percent of messages that reached companies were legitimate. Some 89.88 percent of messages were spam, while 1.11 percent were infected with some type of malware. This data has been compiled after the analysis by TrustLayer Mail, the clean mail managed service from Panda Security.

Only January 2008 witnessed levels of spam below 80 percent. The amount of spam fluctuated throughout the year, peaking in the second quarter at 94.27 percent of all mail reaching companies.

With respect to infected messages in 2008, the Netsky.P worm was the most frequently detected malicious code. This type of malware activates automatically when users view the infected message through the Microsoft Office Outlook preview pane. It does this by exploiting a vulnerability in Internet Explorer that allows automatic execution of email attachments. The exploit of this vulnerability was detected by PandaLabs as Exploit/iFrame and was the third most frequently detected type of malware in emails by TrustLayer Mail.

“The fact that these two malicious codes often act in unison explains the high number of detections of both,” said Luis Corrons, Technical Director of PandaLabs. “Cyber crooks often launch several strains of malware with each exploit to increase the chances of infection, so even if users whose systems are up-to-date are immune to the exploit, they could still fall victim to infection by the worm if they run the attachment.”

The Rukap.G backdoor Trojan, designed to allow attackers to take control of a computer, and the Dadobra.Bl Trojan were also among the most prevalent malicious code.

Top Malware in email Netsky.P.worm Bck/Rukap.G Exploit/iFrame Trj/Dadobra.BL Generic Malware Trj/Downloader.PSJ Trj/SpamtaLoad.DO Trj/Downloader.PWR Bck/Haxdoor.PL Trj/Spamtaload.DZ

“For companies, spam is more than just a nuisance. It consumes bandwidth, wastes employees’ time and can even cause system malfunctions. In the end, it all results in a loss of productivity,” adds Luis Corrons.

Much of this spam was circulated by the extensive network of zombie computers controlled by cyber-crooks. A zombie is a computer infected by a bot, a type of malware allowing cyber criminals to control infected systems. Frequently, these computers are used as a network to drive malicious actions such as the sending of spam. Just in the last three months of the year, 301,000 zombie computers were being put into action every day.

Spam subjects in 2008

With respect to the different types of spam in circulation, 32.25 percent of spam in 2008 was related to pharmaceutical products with sexual performance enhancers accounting for 20.5 percent.

Spam relating to the economic situation also grew significantly throughout 2008. False job offers and fraudulent diplomas accounted for 2.75 percent of all junk mail in the year, while messages promoting mortgages and fake loans were responsible for 4.75 percent.

Spam promoting fake brand products, such a swatches, was responsible for 16.75 percent of the total. This last category nevertheless, dropped from 21 percent in the first half of the year to 12.5 percent in the last six months. To view an entire breakdown of the variety of spam subjects that PandaLabs discovered, please access the data here: http://www.flickr.com/photos/panda_security/3234535186/

About PandaLabs Since 1990, its mission has been to detect and eliminate new threats as rapidly as possible to offer our clients maximum security. To do so, PandaLabs has an innovative automated system that analyzes and classifies thousands of new samples a day and returns automatic verdicts (malware or goodware). This system is the basis of collective intelligence, Panda Security’s new security model which can even detect malware that has evaded other security solutions. Currently, 94 percent of malware detected by PandaLabs is analyzed through this system of collective intelligence. This is complemented through the work of several teams, each specialized in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc), working 24/7 to provide global coverage. This translates into more secure, simpler and more resource-friendly solutions for clients. More information is available in the PandaLabs blog: http://www.pandalabs.com and the Panda Security website: www.pandasecurity.com/usa.

Posted in Spam, Internet, Security, Exchange | No Comments »

30. January 2009 by Myke.

Black Hat researcher will show how the bad guys can use a database’s own features against it

A database security researcher will demonstrate at next month’s Black Hat DC how an attacker who breaks into a SQL Server database can cover his tracks using antiforensics techniques.

Cesar Cerrudo, lead researcher for Application Security’s Team SHATTER, and founder and CEO of Argeniss, says he will show a proof-of-concept that circumvents forensics investigations by abusing some inherent features in the database. “If the attacker has done a good job of removing his tracks, then it becomes pretty difficult to determine what was done, how it was done, why, and by whom,” Cerrudo says.

So far, Cerrudo says he hasn’t seen any database attacks that have gone to the next level like this yet. “But as criminal hacking is rapidly growing, and databases are where the juicy stuff is saved, in the future we will start to see more and more sophisticated attacks,” he says, especially since many big breaches are the result of database hacks.

And in the current economic climate, the risk of an insider attack is even higher. The financial pressures of a possible layoff or otherwise could entice a database operator to go rogue. “The main point of this research is that if you don’t properly protect database servers, soon or later you will get hacked and probably lose millions of dollars,” he says.

Although Cerrudo’s research focuses on SQL Server, any database could be hacked and manipulated with antiforensics, he says. Among the database features that the bad guys can use for nefarious purposes are the ability to load external libraries or binary code, which can manipulate the server itself. Buffer overflow attacks are another way to do so as well, according to Cerrudo.

All it takes is for an attacker to gain database administrative privileges — which is not difficult if the database isn’t locked down properly — by exploiting a vulnerability in the database or stealing the credentials via a Trojan or brute-force hacking, for instance.

“Once you have enough privileges, you can do anything on any database server. This includes loading code to database server memory, [and] then this code can manipulate all functionality and let the attacker perform any actions” on the database he wants, Cerrudo says.

If the database hack using antiforensics is detected, some of the damage can be discovered by forensics, such as stolen data or changes made to the data stored in the database, for instance. But how it was hacked or who did it would remain a mystery, he says.

An attacker who infiltrates a database can even frame another person for the attack using antiforensics techniques. “One of the scary things about these antiforensics techniques is that the attacker can point investigators in the wrong way by making it look like another person performed the attack,” Cerrudo says.

The attacker could leave behind phony tracks that incriminate the victim organization’s database administrator so that when the forensics investigators do their work, all evidence leads to the database admin rather than the real culprit. “Without logs or [with] confusing logs, investigation becomes harder, the evidence is not enough, and in order to find the real culprit you must find real evidence that points to him,” Cerrudo days.

How can an organization protect itself from such an attack? “Nowadays, using a third-party monitoring mechanism should be a must since built-in security mechanisms can’t protect [the database] once the attacker has enough permissions,” he says.

Cerrudo also recommends regular database patching, strong passwords, and periodic database vulnerability scans.

Posted in SQL, Security, Servers | No Comments »