Archive for November, 2008

Websense® Security Labs™ ThreatSeeker™ Network has discovered that malware authors are already using Christmas themes this year as a social engineering tactic, in an effort to gain control over compromised machines. This campaign uses email messages in the form of e-greetings, leading to supposed animated postcards. These actually lead to a Trojan backdoor that has been distributed in previous malicious spam campaigns.

The email messages, spoofed to appear as though they have been sent from postcards.org, display an animated Christmas scene. A URL link within the email leads to a malicious file called postcard.exe hosted on various servers, including those in the .com TLD space.

Once executed, a backdoor is created by the malware author enabling access and control over the resources of the compromised machine. Control is conducted over IRC, communicating with ircserver.*snip*.la. During the install process an image called xmas.jpg is displayed to the user as a distraction technique.

Example of malicious email:

Websense Messaging and Websense Web Security customers are protected against these threats.

 Hi, this is Bill Sisk

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new, malicious social-engineering spam campaign that is disguised as an official email sent from Google's Web 2.0 social networking site, Orkut.

This campaign is another attempt by spammers to profit from popular Web 2.0 services. A spoofed personal message, in Portuguese, is sent from a user allegedly on the Orkut network seeking love. This campaign continues a previous attempt to target Orkut. We issued an alert about the previous attempt last week.

Screenshot of the new message:

The message contains several links that appear to lead to the official Orkut Web site. Clicking on a link actually leads to a malicious executable file, which is a Trojan Downloader named "imagem.exe" (SHA1: 6862b862877e5cb9f2180cc53ee4338977bc0efb).

The malicious file opens the legitimate Orkut network login page, and in the background downloads a password stealing Trojan named "msn.exe" (SHA1: eee7ea71e6ce023fb9000ed75854a8cfd1fafe63). "msn.exe" is copied to various system locations, using different names: "plugin.exe","kss.exe." These copies are bound to the system's start up.

The Trojans in this attack are hosted on a compromised labor union Web site from southern Brazil. This continues the trend of malcode hosted on compromised Web sites.

Screenshot of the Brazilian labor union Web site's main page:

Websense Messaging and Websense Web Security customers are protected against this attack.

Hi,

During this month’s webcast we were able to address 12 questions in the time allotted. The questions were spread fairly evenly across both bulletins. We also fielded questions regarding the Exploitability Index and the MS08-067 form the October Out-of-Band Release.

Here is the link to the full Q&A so you can see all of the answers that were provided for these great questions:

http://blogs.technet.com/msrc/pages/monthly-security-bulletin-webcast-q-a-November-2008.aspx

Also, here is the link to the Q&A index page in case you want to view previous months:

http://blogs.technet.com/msrc/pages/microsoft-security-bulletin-webcast-q-a-index-page.aspx

As always, customers experiencing issues installing any of the updates this month should contact our Customer Service and Support group:

Customers in the U.S. and Canada can receive technical support from Microsoft Customer Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Thanks!

Al Brown

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi, this is Christopher Budd.

We’ve received some questions from customers about MS08-068 and its relationship to an issue that was first discussed in 2001, called the SMBRelay attack.

Specifically, we’ve gotten some questions about why, in 2008, we’re releasing an update that addresses an issue first discussed in 2001. Since I was in the MSRC back in 2001 when this was all first discussed, I feel well placed to answer that.

At a high level, the behavior that was discussed in the original SMBRelay attack is related to some of the basic behavior of the legacy NTLM protocol. When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications. And to be clear, the impact would have been to render many (or nearly all) customers’ network-based applications then inoperable. For instance, an Outlook 2000 client wouldn’t have been able to communicate with an Exchange 2000 server. We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but, the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing.

After saying that, though, the matter wasn’t closed for us. Since then we’ve been looking at this issue to see if there’s a way we can address this issue that doesn’t have such a large impact to applications and also doesn’t require application developers to completely rewrite their applications. In general, changes of this magnitude can only be made safely in completely new versions of Windows because of the thorough testing that would would receive. And we’ve made some incremental changes in things like Windows XP SP2 and Windows Vista to help address some of this issue.

Over the course of the past year, however, that ongoing work showed us a way to build on those incremental changes that we believed would enable us to make changes that address the issues outlined in the SMBRelay attack and also minimize the impact on network applications. If we were able to do that, we would be able to look at addressing this issue not in a new version of Windows but instead in a security update, provided it met the appropriate quality bar.

Our engineering teams spent a great deal of time testing this approach and found it was feasible. We then took that work and developed it into a security update, putting it through our standard testing to ensure it met an appropriate level of quality for broad release. What we released today with MS08-068 is that security update. It addresses the SMBRelay issue but does so in a way that doesn’t have the negative impact on applications that we originally believed addressing this issue would have.

As Mark notes in his post, implementing SMB signing is still an option and one that we ultimately recommend. However, if you’re like me and remember the SMBRelay attack, you now have a protection option in case you can’t implement SMB signing: apply MS08-068.I hope this helps give some more background on this.

Thanks

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights*

Hi! This is Tami Gallupe, MSRC Release Manager and I just wanted to give you an update on the two bulletins we released today:

•                 MS08-068: Vulnerability in SMB Could Allow Remote Code Execution (957097). This has a severity rating of Important. 

•                 MS08-069: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218). This has a severity rating of Critical.

This information, and more, is also documented in the Microsoft Security Bulletin Summary for November 2008, and you can also read this month’s Security Vulnerability Research & Defense blog at http://blogs.technet.com/swi/ where the team dives into more technical details about this month’s release. 

I hope you will also join us for the webcast that starts tomorrow (Wednesday, November 12th) at 11:00 AM PST.  I value this event as it gives us a chance to hear from you, to take your questions and answer them live, on the air. Click here to register for TechNet Webcast: Information About Microsoft November Security Bulletins.  We look forward to hearing from you tomorrow.

Cheers!

Tami

*This posting is provided "AS IS" with no warranties, and confers no rights*

Hello, Bill here.

I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release which will occur on Tuesday, Nov. 11, 2008 around 10 a.m. Pacific Standard Time.

It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.

As part of our regularly scheduled bulletin release, we’re currently planning to release two security bulletins:

·        One Microsoft Security Bulletin affecting Microsoft Windows/Microsoft Office rated as Critical, and one affecting Windows rated as Important. These updates may require a restart and will be detectable using the Microsoft Baseline Security Analyzer.

As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.

We are also planning to release high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS). For additional information, please see the Other Information section of the Advanced Notification.

As always, we’ll be holding the November edition of the monthly security bulletin webcast on Wednesday, Nov. 12, 2008 at 11 a.m., Pacific Standard Time.  We will review this month’s release and take your questions live on-air with answers from our panel of experts. As a friendly reminder, if you can’t make the live webcast, you can listen to it on-demand as well at the same URL. In addition, we’ll also be posting the text of the questions and answers from each month’s webcast. You can see a full listing of the posted questions and answers on this page.

You can register for the webcast here: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032374642&Culture=en-US

Hi, this is Christopher Budd. We’ve been getting some questions from customers this week asking if we’ve seen any changes in the threat environment around MS08-067. We do have some information that we can share so I wanted to pass that along.

Most importantly, we continue to see strong deployments of MS08-067. We’re glad that customers have moved as quickly as they have to download, test and deploy the update. That said, we continue to urge customers who haven’t yet deployed the update to do so.

We have seen some new pieces of malware attempting to exploit this vulnerability this week. And while so far, none of these attacks are the broad, fast-moving, self-replicating attacks people usually think of when they hear the word “worm,” they do underscore the importance of deploying this update if you haven’t already.

My colleagues over in the Microsoft Malware Protection Center (MMPC) have provided write ups on the new pieces of malware we’ve seen this week and have included signatures to help protect against these.

·        Trojan:Win32/Wecorl.A

·        Trojan:Win32/Wecorl.B

·        Trojan:Win32/Clort.A

·        Trojan:Win32/Clort.A!exploit

·        Trojan:Win32/Clort.A.dr

·        TrojanDownloader:Win32/VB.CQ

·        TrojanDownloader:Win32/VB.CJ

Again, none of these are broad, fast-moving, self-replicating attacks. They’re similar to the original attacks we detected, in that they focus on loading malware onto vulnerable system. They’re also similar in that the overall scope of these attacks is very limited. The largest of these attacks are those associated with Clort family and we’ve seen well below fifty attacks worldwide.

Overall the threat environment remains similar to what it was last Monday when we released Microsoft Security Advisory 958963.  The publically available exploit code has resulted in limited malware attacks seeking to exploit the vulnerability. This is in-line with what Mike said we should expect last week. We expect we’ll continue to see new pieces of malware  over the coming days and weeks,  and our colleagues over in the MMPC will continue to add write-ups and signatures for them.

We’ll continue to watch and update you of any important new developments.

Thanks

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights*