02/05/2013 05:08:21
Great reference for MS-patch status, thanks!
Blog
Your Categories
Toymaster
Toymaster
AutoRun
Tim Rains released an article on Microsoft TechNet that covers the most common malware families that are found on Windows machines based on the OS being run. That article includes the following chart –
The malware and potentially unwanted software families most commonly detected by Microsoft antimalware solutions in the second quarter of 2012 (2Q12), and how they ranked in prevalence on different platforms
Most of this data is culminated from MSRT scans along with Windows Defender and Microsoft Security Essentials data reported when these software packages dial home to Redmond. Many will be concerned about the high prevalence of Blachole (the BlackHole Exploit Kit) and for sure it is among high rankers on the chart. Add to that the fact that Blachole infects by using drive-by download attacks to try to infect systems that have out of date software installed on them, and you get the picture – users in general do a rather poor job of keeping their software updated – all of it.
That all said, what concerns me the most is the top two on the chart – Win32/Keygen and Win32/Autorun. Windows 7 is the most widely used consumer operating system worldwide, and the most prevalent families on both Windows 7 RTM and Windows 7 SP1 tended to be the same families that were prevalent overall.
I have been screaming about the dangers of AutoRun since 2006 and imploring users to disable it since then. I have written about it countless times. Yet, even though Microsoft released a patch to disable AutoRun last year and a FixIt to disable it way back when Windows 2000 was still supported, AutoRun worms are still ranked very high on Windows, even Windows 7 systems. Why is this? Simple – people still prefer convenience to security, and the damned thing is still alive and running well on countless Windows machines all over the world.
The top families of threats that use the technique of attacking through AutoRun include Win32/Taterf, Win32/Rimecud, Win32/Conficker, and Win32/Autorun. Unfortunately, all are still alive and well, and it’s due to all the Windows machines that still have the AutoRun ‘feature’ enabled in the interests of preference and convenience, or lack of knowledge. I think it is time we all try to finally put an end to this.
If you know anyone that has AutoRun still enabled, sent him or her some help:
Defending against AutoRun attacks –
http://blogs.technet.com/b/security/archive/2011/06/27/defending-against-autorun-attacks.aspx
Security Advisory 967940 insight –
And finally, KB967715 on how to disable it complete with the FixIt –
http://support.microsoft.com/kb/967715
or for the ‘tinkerer’ you might know, a quick registry edit fix that still works the best –
Instructions -
Step 1. Start Notepad or another text editor.
Step 2. Copy the following text from this page and paste it into your text editor (everything between the square brackets must be all on one line):
REGEDIT4
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIniFileMappingAutorun.inf]
@=”@SYS:DoesNotExist”
Step 3. Save the file with a name like NoAutoRun.reg, taking care to include the .reg extension.
Step 4. Right-click your .reg file and choose Merge. Confirm any warning prompts to add the information to the Registry.
UPDATE 2009-01-21: As an extra precaution, it’s a good idea to reboot your PC after Step 4, on the off chance that some old information was residing in cache memory.
Dennis M. Ritchie (1941 - 2011)
I thought I should spend some time to introduce you to a quite memorable acquaintance from the 1960’s that I met while studying and working in computer science at the University of Arizona. He made an extraordinary impression on me that lives on to this day.
The news that Dennis M. Ritchie, the creator of the C Programming language and well known for contributing to the creation of the UNIX Operating System, died on October 8, 2011, hit the Internet headlines, and unfortunately most people never even noticed.
The loss of Steve Jobs is recognizably an enormous loss to society and the world. A few days later, we lost Dennis M. Ritchie. It is an understatement that Steve Jobs and all like him have been standing on Dennis M. Ritchie's shoulders for years. Dennis M. Ritchie was a giant and should be recognized as such.
Simply put, this world is a better, more productive, and richer place because of Dennis M. Ritchie.
Dennis Ritchie (standing) and Ken Thompson at a PDP-11 in 1972 at Bell Labs
Dennis Ritchie is the father of the C programming language, and with fellow Bell Labs researcher Ken Thompson, he used C to build UNIX, the operating system that so much of the world is built on - including the Apple Empire overseen by Steve Jobs.
Pretty much everything on the web uses two things: C and UNIX. The browsers are written in C. The UNIX kernel - that pretty much the entire Internet runs on - is written in C. Web servers are written in C, and if they’re not, they’re written in Java or C++, which are C derivatives or Python or Ruby, which are implemented in C. And all of the network hardware and software running these programs was written in C.
Even Windows was once written completely in C and UNIX underpins both Mac OS X, Apple’s desktop operating system, and iOS, which runs the iPhone and the iPad.
Dennis Ritchie built C because he and Ken Thompson needed a better way to build UNIX. The original UNIX kernel was written in assembly language, but they soon decided they needed a “higher level” language, something that would give them more control over all the data that spanned the OS. Around 1970, they tried building a second version with FORTRAN, but this didn’t cut it, and Ritchie proposed a new language based on a Thompson creation known as B.
That first version of the language wasn’t all that different from C as we know it today, though it was a bit simpler. It offered full data structures and “types” for defining variables, and this is what Richie and Thompson used to build their new UNIX kernel.
Ken Thompson & Dennis Ritchie
Ritchie worked together with Ken Thompson, the scientist credited with writing the original UNIX.
One of Ritchie's most important contributions to UNIX was its porting to different machines and platforms.
Thompson, Ritchie & Bill Clinton
On April 21, 1999, Thompson and Ritchie jointly received the National Medal of Technology of 1998 from President Bill Clinton for co-inventing the UNIX operating system and the C programming language which, according to the citation for the medal, "led to enormous advances in computer hardware, software, and networking systems and stimulated growth of an entire industry, thereby enhancing American leadership in the Information Age".
The Fedora 16 Linux distribution, which was released about a month after Dennis died, was dedicated to his memory. FreeBSD 9.0, released January 12, 2012 was also dedicated in his memory.
So, the next time you sit at a keyboard and enjoy what your computer can do for you, pause for a few and give some thought and thanks to Dennis MacAlistair Ritchie, known simply to friends as DMR, and everything he has freely given to all of us, for he is a true giant that has helped us all. We all owe him a debt of gratitude and thanks for what we have in computer science today, and many have been standing on his shoulders for years.
Dennis Ritchie, 1999
Born September 9, 1941
Died October 12, 2011 (aged 70)
Known for -
ALTRAN
B
BCPL
C
Multics
UNIX
Notable awards -
Turing Award
National Medal of Technology
DNS Changer is not Doomsday, Armageddon, or the end of the Internet
Posted by Dave
05/02/12
DNSChanger virus spells 'Internet Doomsday' … The end is nigh, according to the FBI … 'Internet doomsday' will strike us all on July 9 …
These and other headlines have been on a number of popular sites for the past few weeks and similar stories have been aired on local television stations as well causing many people to be genuinely scared. To me this represents some of the most ridiculous and irresponsible writing and reporting I have seen in the twenty years I have been a security specialist. Scaring the bejesus out of people is not nice, counter-productive and incorrigible behavior in my opinion.
With an estimated four million infected computers (500,000 in the U.S. alone) DNSChanger was one of the largest botnets ever disassembled. However, despite what you may have read, this botnet wasn't designed to steal your credit-card numbers or bank-account passwords. DNSChanger rerouted your browser to websites that mostly sold little blue pills, antivirus products that didn't work, and other crappy stuff.
Typically, DNSChanger infected systems by posing as a codec needed for viewing videos streamed from adult sites. When you clicked to view these bogus videos, Windows Media Player would complain that it didn't have the right codec. Users then downloaded the codec from the site, gave permission to install the codec, and it was game over – infected immediately.
So, where are most of the infected computers located? Here in the US, half of the Fortune 500 companies and roughly half of all U.S. government agencies now have one or more PCs infected with DNSChanger, including the FBI, CIA and NSA.
The machines in question have been infected with a variant of TDSS/Alureon that has rootkit behavior and the infection changes your computer's DNS server, usually by hacking the Registry. You could then be easily rerouted by DNS servers the bad guys set up to infected web pages that they also set up to offer rogue AV, phony pharmaceuticals of all kinds.
What can the average user do about all this. It is actually quite simple and a lot easier that the press and tabloids make it out to be. First step is to see if you are indeed infected. The FBI and other agencies would have you visit numerous web pages, download files, and submit your machine to a lengthy online scan. Links to all of this have been conveniently provided on sites and pages too numerous to count. Let’s keep this simple and easy:
In the US, go to http://dns-ok.us/ and if you are OK, your screen will look like this:
Nice green background means you are not infected – good to go, and this test took all of about two seconds. If the background is red, you are infected, but don’t be scared – there is an easy fix for this too.
To get rid of a DNSchanger infection, there are a number of easy solutions available to you, but the quickest and easiest to use on a Windows machine is Windows Defender Offline. All you need is a USB flash drive; then you go to http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline and download the 32-bit or 64-bit msstool file that is under 1 MB in size. Once the file is saved to the flash drive –
- Restart your PC using the Windows Defender Offline media
- Scan your PC for malicious and other potentially unwanted software
- Remove any malware that is found from your PC
Easier yet, you can also download and run the Windows Malicious Software Removal Tool here –
http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=16
Barring that, some AV vendors have removal tools that can deal with this infection or you can also go to -
http://www.exterminate-it.com/malpedia/remove-dnschanger and download the ExterminateIt file. You then install that program. After installing the program, run a scan to display a list of the files associated with DNSChanger in the Scan Result screen and remove these files.
So, as you see there are multiple ways of dealing with this, but for the average user I feel the Microsoft solutions will be the easiest and the best choices and they will keep you out of additional difficulty.
DNS Changers are nothing really new. They have been around since early 2005, and have all been easy to deal with so long as you use the right tools or have a good AV solution in place.
In any case, as we said at the beginning, this is not Doomsday or Armageddon, and I simply cannot understand why it is taking so long for network administrators and security folks to eradicate this stuff. It was discovered last July, removal tools have been available since August, and the botnet has been gone since early November last year. Maybe the big guys and government really do move this slowly. I am also betting that the FBI (DNSChanger Working Group) will again ask for and be granted yet another extension when the deadline approaches in July in order to keep the DNS server farm running. Just remember that someone has to pay for all of this (that’s right – your tax dollars hard at work again).
C’mon folks, let’s get this over with already!
Accuvant (Denver based IT security company) last week released a new Google commissioned and funded browser study comparing Chrome, Internet Explorer and Firefox to determine which browser is the most secure. The study results, located in a company blog here: http://www.accuvant.com/blog/2011/12/05/which-web-browser-is-most-secured comes to the conclusion that Google Chrome is the most secured web browser, Internet Explorer is a close second, and Firefox is a very distant third.
This has already created a huge stir in IT land and there are no less than 50 different articles already on the Internet from just about everybody you never heard of before that is suddenly an expert. A quick search engine looking for Accuvant + Firefox will get you over 30,000 results in a heartbeat, and a number of the results are from well respected sources and security companies.
My inbox has already been flooded with inquiries regarding this subject and to see if I have changed my mind about Firefox which is the browser I have always recommended in the past, so I thought it best to put what I do know that is absolutely factual information in a blog to answer everyone’s curiosity on the subject.
First, I downloaded all the Accuvant papers, custom tools that were used etc, and had a very good look at everything in the lab from my usual unbiased viewpoint.
This whole project was actually done much earlier this year (July), but Google held releasing it until this week. The report is definitely skewed and inaccurate, and the tools are custom built and designed to achieve a specific loaded test result. No real world browser attacks were ever used. No real world malware was ever used. Not even Metasploit was used. This is supposed to be a security company? I think my home lab is better.
I personally believe this whole thing is a bad joke at Mozilla's expense and designed to deliberately attempt to tube Firefox.
All my real world tests in the lab have shown quite different results, and I also find Firefox is the quickest at patching actual vulnerabilities, most of which are done via a new release version before any of the actual vulnerabilities are even announced and CVE's are assigned. The actual average response time for a real security vulnerability in Firefox by Mozilla when they are caught off-guard is about 48/72 hours. The extended Mozilla response time shown by Accuvant is in reality for non-security related bug fixes. Big difference. In addition, a lot of the Chrome releases on their rapid release schedule have more to do with what isn't working properly than making it more secure. Their latest version just released yesterday plugs 15 security holes and it has been in the works for 7 weeks.
Also, the Accuvant report continually refers to Chrome as the most 'secured' rather than most 'secure' browser and continually references the built in sandbox that Chrome touts so loudly - there is technically a big difference between these two terms. Want to try a real test? Come at my servers using Chrome and see the results you get - I have 7 different files I can launch at you in response that will all completely bypass Chrome's sandbox plus DEP and ASLR like they don't exist and I own your box - you are pwned in about 2.5 seconds and you won't even know it. Do the same with Firefox set up the way I show you in my Browser Security paper and none of these attacks work – none. Like I said - no real world tests were ever done and no real world malware was ever used.
The simple truth is that sandboxes are far from a perfect defense and can easily lead to a false sense of security. The same is true of JIT, DEP, and ASLR. All can be easily bypassed, and this is an absolute fact. Further, URL blacklisting (suggested by Accuvant) is a horrible technology that has never worked well and slows down the browser measurably - plus how can you keep it updated - a new malicious URL arrives on the internet about every 19 seconds - sure - we can all keep updated for that.
This entire report is flawed and full of BS, and I am far from the only one that thinks so - go here if you don’t believe me -
**********
Update on 12/16/11
I also recommend you take a minute and read here as well –
And a NSS report titled The Browser Wars Just Got Ugly
**********
I think both Google and Accuvant should be too ashamed to even publish this rubble (maybe this is one reason Charlie Miller left Accuvant - he has an extremely low BS tolerance level and now works for the DoD). This report ranks right up there with the special rigged site Microsoft set up that 'proves' IE 9 is the #1 and IE 8 is the #2 safest browser - no matter what browser you test against the site it is no match for IE. I'm personally getting very tired of these guys confusing an already frustrated public with more FUD and BS to try and improve their market position. They should put half that effort into a real solid product that does what the average user really needs it to do - be fast, secure, and keep him safe on the web. Oh wait, that has nothing to do with marketing and bragging rights; so it will never happen.
I end my arguments with this -
This past 48 months, there were three different very special high-security browsers developed and released (not to the public necessarily) and all three were specific purpose and custom designed to be the safest and most attack proof browser that could possibly be constructed. One was specially built in Germany for use by the German government, one was built here in the US for use by the military, FBI, CIA, NSA and other 'special' agencies. The last was an open source project put together by security researchers and browser programming specialists from 4 countries.
All three of these projects have one thing in common - their efforts were assisted by programmers at Mozilla and it resulted in the release of three very special bulletproof versions of - you guessed it - Firefox. I personally own and use all three versions regularly for special research projects and cannot find a way to successfully compromise any of them with anything I have; and they 'leak' absolutely nothing to the web. Two of the three actually run in a full virtual environment. I rest my case and will be sticking with Firefox until something that really is truthfully proven to be better is released.
Operation Shady Rat
This is another one that is starting to drive me nuts.
A week ago, McAfee released a report named Operation Shady Rat, and it has been causing a huge stir ever since. It claims to expose a hack of unprecedented proportions carried out against major companies and interests for a long time period, and indicates it is an APT the likes of which has never been seen before. There have been numerous articles from other security vendors and just about every technology writer that has suddenly become a security expert that I can think of. Naturally both Symantec and Kaspersky are commenting and doing their best to discredit McAfee and their work. I view this whole charade as a marketing gimmick and not much more.
Let’s look at this from a realistic rather than sensationalistic viewpoint. First, the report title is a bit gimmicky because most people don’t know what a RAT is. It is simply an acronym for Remote Access Tool(s). Is this a hack of unprecedented proportions? Not really. The paper covers what was found on one server, and in my research I come across them weekly. Is this new news? Not really. Similar attacks from nation states and hacking groups go on daily and against numerous targets globally. What about being an APT? This is a term or acronym (Advanced Persistent Threat), not a definition, and I have my own outlook on what an APT is: It is Advanced because it got by your defenses, it is Persistent because it took you too long to discover it and it may still be operating in your system or network, and it is indeed a Threat because you need to take defensive action and eliminate it properly. APT is nothing new and in fact was first disclosed and discussed some five years ago when Shawn Carpenter, a security analyst, was fired from Sandia Labs after disclosing his discovery on their servers, resulting in a wrongful discharge and defamation suit (Carpenter won the suit for 4.3 million). APT today has become yet another popular buzzword and it is certainly overused.
Then there is the indication in the report that China is involved, and this is nothing new either. China has been involved in these activities for more than ten years. If you want to read a quality paper that really digs into this, I suggest a paper from when The US-China Economic and Security Review Commission released a Northrop Grumman-prepared (NOC) report called "Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation" dating back to 2009, and it contains far more quality information than the McAfee report. Again, nothing new has been uncovered here.
My thought is that if security vendors and researchers really desire to help to the benefit of all, then appropriate responsible disclosure complete with the facts and technical details is the only way to go. No sensationalism and 30 minutes of fame should be involved. Details of an attack should only be given to authorities and those involved and not publicly shared in a way that could be harmful to any ongoing investigation. Opinions have no place in this as they are just that – opinions, and everyone has them, but that does not mean they are necessarily correct and need to be publicized for the purpose of one-upmanship or marketing ploys.
As for the mention of the FBI, this always seems to elevate the credibility and validity of the story or report and makes it more ‘newsy’. FBI involvement is often misunderstood. Security researchers and analysts often release their findings to the FBI who in turn checks the information for validity and then informs the affected party of the attack or breach. Many researchers have found this to be a far safer method because if they approach the company or entity directly they have often been accused of being the perpetrator. Does the FBI actually launch an investigation itself? Not necessarily, unless it is a matter of national security or interest. In many cases they act in the role as the informing entity and not much more, offering no assistance in the case, but at least it gets the ball rolling.
As I have said often in the past; we, the good guys, are all in this together. We simply need to cooperate and work together. No chest pounding, no ‘look what I found’ or ‘look what I did’, just help each other and work together. It’s the only way we can ever hope to win, because if we don’t, they win.
There – now you have my opinion and I thank you for taking the time to read it.
**********
I get requests for these two all the time, so here you go -
Disable Extension Install Delay Hack
- Type about:config into the Firefox address bar and hit enter.
- Click on "I'll be careful, I promise!" button. (If you don’t want to see this message again, uncheck the box to display it before clicking on ‘I’ll be careful’, I Promise)
- Enter security.dialog_enable_delay into the Filter text box. Double click or right-click on that preference value and change the value to 0
Speed Hack
Type about:config into the Firefox address bar and hit enter
Enter network.http into the Filter text box
network.http.pipelining: Change this to true.
network.http.proxy.pipelining: Change this to true.
network.http.pipelining.maxrequests: Change this to 8.
Now search for max-connections and you should see:
network.http.max-connections: Change this to 96.
network.http.max-connections-per-server: Change this to 32.
Firefox version information
Details on what version of Firefox you are running along with added extensions and more by opening a new tab and then typing the following in the address bar – ‘about:support’ minus the quotes of course.
New Permissions Manager
In Firefox 6, Mozilla has added a new permissions manager that lets advanced users tweak options on a per site basis. The new manager, which can be reached by typing "about:permissions" in the browser's address bar, can be used to modify settings for password capture, cookies, pop-ups and more.
Shutting Down Auto Play IS NOT a Fix!
I really can’t believe that I need to cover this again, but apparently some folks have not been paying attention even though I have been yelling about this since 2008. How do I know? I have received two emails on this very subject this month already. Soooooooooo, I am going to cover this hopefully ONE LAST TIME!
Yes, Microsoft released a patch in 2009 that turns off (supposedly) Auto Play. Many users have applied the patch and feel that they are all done and now safe. WRONG, WRONG, WRONG!!! As I have said many times before, shutting down Auto Play is not a fix. I don’t care what Microsoft says or how many times they say it.
In Windows 2000, nothing. In Windows XP and Vista, the default for USB flash drives is to prompt the user for a decision if autorun.inf tries to launch a program. Inserting a CD or DVD into a drive, however, defaults to running any autorun.inf file that may be present.
In XP, you can change the defaults for AutoPlay on a given drive by right-clicking the drive in Windows Explorer and choosing Properties. Click the AutoPlay tab and use the controls there to change the settings for different types of media. Making changes in this dialog box, however, has no effect in preventing autorun.inf from being executed.
In Vista, end users can choose one of several options, even for software programs that use autorun.inf: (1) always launch the program, (2) always open a listing of the disc in a Windows Explorer window, (3) always prompt for a choice, or (4) take no action.
Unfortunately, none of the above steps can safeguard you against a malicious autorun.inf on removable media. I do not claim to be a hacker, but I am able in just a few minutes to make an AutoRun file that will run just fine, even with AutoPlay disabled in XP and "take no action" selected in Vista.
The exploit involves creating an autorun.inf file that adds a new default command to a USB flash drive's context menu. If you have "take no action" selected in Vista, the flash drive doesn't automatically launch any programs when first inserted. But double-clicking the flash drive icon in My Computer, for example, is all it takes to launch whatever commands are in autorun.inf (which the attacker has made the default command, in place of Open).
A clever hacker could easily make a worm that (1) spreads itself to all your drives when launched in this manner and then (2) displays the drive contents in a window, as expected. This would make it appear that nothing unusual had happened. You don’t think this could happen? Ask anyone who got infected with Conficker – it has only already happened over 10 million times. And it is still happening! Daily!
Block AutoRun for all devices all the time
You might think that you could protect yourself from AutoRun by using two keys in the Registry known as NoDriveAutoRun and NoDriveTypeAutoRun.
However, these keys can be overridden. A Registry key named MountPoints2 stores information about all USB flash drives and other removable media that have ever been connected to your computer. This cache overrides the Registry settings that turn off AutoRun.
The solution is to globally block autorun.inf files from executing, without trying to use the dialog boxes in XP and Vista to do this. If you are ready to fix this mess once and for all, here is the procedure -
1- Start Notepad or another text editor.
2- Copy the following text from this page and paste it into your text editor (everything between the square brackets must be all on one line):
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
Make sure you verify that you have all 3 lines exactly as they are shown above. In Notepad, you may have to click on ‘Format’ and deselect Word Wrap so that you do not break up the second line. Everything on the second line including the brackets must all be on one line.
3- Save the file with a name like noautorun.reg, (be sure you include the .reg extension). Important: Be sure to save this as ‘all files’ or your text editor will ignore the .reg extension and save it as a text file which won’t do anything for you.
4- Right-click your .reg file and choose Merge. Confirm any warning prompts to add the information to the Registry. Be sure you also get a message box indicating the information has been added to the Registry, and confirm that message as well. Reboot.
The next time you insert a flash drive, CD, DVD, or other removable disc into your system, Windows will not execute the information in any autorun.inf file that may be present.
Taking these steps means that the next time you put a game or installer disc into your CD or DVD drive, its software won't launch automatically. You will have to open a Windows Explorer window or use a command line to launch the desired file or executable. A minor annoyance at most. Get over it and get used to it!
The benefit is huge: a rogue program that you never intended to launch won't silently take over your system if you happen to insert a Trojan-carrying disc into a drive, or a malware infested USB drive into a port.
The last one of these I got to fix was a Conficker infestation on a Windows 2003 Server machine that got infected by a USB flash drive. I told them to ‘watch closely and take good notes’ as I disconnected the server from the network, and then explained they needed to disconnect everything else from the network and repeat everything I did on this server to every machine they had everywhere before reconnecting anything. IT TOOK THEM 3-1/2 WEEKS – AND NO NETWORK THE WHOLE TIME. Does this look like it might be a potentially worthwhile fix now?
Remember one thing –
Shutting down AutoPlay is not a fix
Shutting down AutoPlay is not a fix
Shutting down AutoPlay is not a fix
Shutting down AutoPlay is not a fix
Shutting down AutoPlay is not a fix
Shutting down AutoPlay is not a fix
Shutting down AutoPlay is not a fix