Archive for December, 2006

Windows Client Server Run-Time POC

Microsoft released a notice on their Microsoft Security Response Center Blog about a possible proof of concept affecting Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista operating systems. Initial indications are that you already have to be authenticated.

Aside from discussing the holidays, the reason I am dropping in on the blog is that right now we are closely monitoring developments related to a public posting of proof of concept code targeting an issue with the Client Server Run-Time Subsystem. The PoC reportedly allows for local elevation of privilege on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista operating systems. Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system. Of course these are preliminary findings and we have activated our emergency response process involving a multitude of folks who are investigating the issue in depth to determine the full scope and potential impact to Microsoft?s customers. Currently we have not observed any public exploitation or attack activity regarding this issue. While I know this is a vulnerability that impacts Windows Vista I still have every confidence that Windows Vista is our most secure platform to date. As always, we here at the MSRC encourage everyone to enable a firewall, apply all security updates and install anti-virus and anti-spyware software. Source: New report of a Windows vulnerability

They say no current exploitations or attacks have been seen yet.

GPS Data and Google Earth

All kinds of great stuff is available for Google Earth, case in point, how about some do it yourself mapping. GPS Visualizer allows you to input GPS data, street addresses or simple coordinates and it will output a picture of the trip. So, for example, you could input your drive to the beach next summer and print it out, or say you are going on a big trip, you can plot each point and see where you have been. This is pretty cool. First, as always, you need Google Earth, click this link, , to download it, it is part of the Google Pack containing all kinds of great and free software, download it all, or just Google Earth if you’d like. Then, click this link to the Google Earth KML file, and you are ready to start. This would be great for geocachers, they could plot all of the spots they have visited and print out a map of it, might be a good idea for a little surprise if you know someone who is.

GPS Visualizer is a free, easy-to-use online utility that creates maps and profiles from GPS data (tracks and waypoints), street addresses, or simple coordinates. Use it to see where you’ve been, plan where you’re going, or visualize geographic data (business locations, scientific observations, events, customers, real estate, geotagging, etc.).

GPS Visualizer can read data files from many different sources, including but not limited to: GPX, OziExplorer, Geocaching.com (.loc), IGC sailplane logs, Garmin Forerunner (.xml/.hst), Timex Trainer (v1.3+), Cetus GPS, PathAway, cotoGPS, CompeGPS, TomTom (.pgl), IGN Rando (.rdn), Emtac Trine, Suunto X9/X9i (.sdf), NetStumbler/WiFiFoFum, and of course tab-delimited or comma-separated text.

GPS Visualizer can draw maps in SVG, JPEG/PNG, and Google Maps format, and can also create map overlays and KML files for Google Earth. For non-Google maps, JPEGs are easier to deal with, but SVGs are interactive — to view them, make sure you’ve installed Adobe’s free SVG Viewer plug-in. Source: GPS Visualizer

Here is the link to some more Google Earth Layers.

Weather Layers for Google Earth

Here are some more great layers for Google Earth. Weatherbonk has posted four layers that allow you to see temperatures around the world. First, you need to download Google Earth by clicking this link , it is part of the Google Pack and if full of great free software, download it all, or just Google Earth, it’s up to you. Then, click the links below to download the Google Earth Layers, they will open in the program automatically. Piece of cake!

Fahrenheit (no wind barbs)

Fahrenheit (wind barbs)

Celcius(no wind barbs)

Celcius(wind barbs)

Windows Vista and Malware

How does Windows Vista stand up to the current crop of malware and crapware coming from the Internet? Pretty good if you ask Jim Allchin, in a recent post he talks about a comparison that Sophos did. In it’s monthly report they track the top ten threats reported to them for that month, so Sophos tried to see if Windows Vista was vulnerable to them. Straight out of the box with the default settings, Windows Vista was not vulnerable to any of them. But not according to Sophos.

These are listed as, Virus and then the percentage of reports to Sophos.
W32/Stratio-Zip 33.3%
W32/Netsky-P 15.6%
W32/Bagle-Zip 6.1%
W32/Zafi-B 4.3%
W32/Netsky-D 3.9%
W32/Nyxem-D 2.5%
W32/MyDoom-O 2.5%
W32/Mytob-C 2.4%
W32/Sality-AA 1.8%
W32/Zafi-D 1.7%

Source: Top Ten Threats for November 2006.

This is the article, here, that Sophos posted saying Windows Vista was vulnerable to 3 of the top 10 malware threats, and here is an excerpt,

Sophos experts note that on the launch date of Microsoft’s Windows Vista operating system, three of the top ten – including Stratio-Zip – are capable of bypassing the operating system’s security defenses and infecting users’ PCs. The Vista-resistant malware – W32/Stratio-Zip, W32/Netsky-D and W32/MyDoom-O – comprise 39.7% of all malware currently circulating.

The results showed that while the Windows Mail email client (Vista’s upgrade of Outlook) was able to identify and halt all of the threats, W32/Stratio-Zip, W32/Netsky-D and W32/MyDoom-O – each of which are commonly disseminated via email – were able to bypass the defenses when accessed via a third-party web email client. This represents a serious issue for businesses who allow employees to access their personal email at work, as well as for companies that are considering adopting an alternative email client.

“There has been much speculation about whether Vista would render existing malware extinct, and the news is now in – it won’t,” said Carole Theriault, senior security consultant at Sophos. “While Microsoft should be commended for the huge security improvements it has made in Vista, running separate security software is still essential to eliminate the risk of infection. On top of this, cyber criminals will already be looking at creating Vista-specific malware. Users need to think carefully about whether their current solution is going to offer sufficient protection against such emerging threats, given that some vendors continue to experience problems adapting their software for the Vista operating environment.” Source: Three of the top ten malware threats run on Microsoft Vista, Sophos tests show

So, Jim Allchin set his team to testing these malware apps in Windows Vista themselves to see how the affected the operating system, and they say, if you are using only the software in Windows Vista, meaning the mail client and no other security software, then it is not vulnerable.

In order to understand what was really going on here, I asked the team to go look at the technical facts behind the story, and that started in the lab. We began by observing first-hand how these various forms of malware affect a Windows Vista system using a machine that was configured with the default settings and without any additional security software. What we found was that if you are using only the software in Windows Vista (e.g., Windows Mail and no add-on security software), then you are immune to all ten of the malware threats that Sophos cited.

If you are using Microsoft Outlook or a third-party email client that blocks execution of known executable formats, then a user running Windows Vista is not vulnerable to eight of the ten malware threats. In the case of the ninth piece of malware, Bagle-Zip, the malware is able to run because it uses the .ZIP file format which some mail programs do not block. In the case of the tenth piece of malware, Mydoom-O, the malware is sometimes able to run because it randomly chooses the file type to which to distribute its payload and sometimes that file type is an executable inside a .ZIP file, which some mail programs do not block. In both cases, this is a function of the e-mail software, not Windows Vista. That said, even when a user receives a mail infected with Bagle-Zip or Mydoom-O in the .ZIP file format, in order for the malware to affect the system, the user must first explicitly open the .ZIP file and then explicitly run the executable file that’s contained inside the .ZIP file — there is no way for this to happen without two steps of user action. If you happen run a third-party email client that does not block known executable formats, then you may also be vulnerable to Netsky-D. Source: Windows Vista and protection from malware on the Windows Vista team Blog.

So, the difference is, if your email client allows the zip format and if it allows it, you still have to open the zip and then run the executable. So, while Sophos tests show that Vista is vulnerable to three of them, apparently, they left out the fact that they actually had to open up the allowed zip files and they installed Microsoft Outlook and did not use the Windows mail client. So, is this a case of Sophos trying to sell more software, or do they just never tell exactly how they test software? I noticed that there are a couple links to their Windows Vista version of their anti-virus software on this “press release”.

Skype Worm Actually a Trojan Horse

Apparently, there is some confusion concerning the Skype worm I posted about yesterday, Websense now says it is a Trojan horse and it is not exploiting anything, it is just using the chat portion to send the file.

Yesterday Websense Security Labs reported on our blog that there was a potential Worm propagating via Skype (see: http://www.websense.com/securitylabs/blog/blog.php?BlogID=101). After investigation we have discovered that this is not a self propagating worm and is actually a Trojan Horse.

After discussions with the very helpful Skype security team, the behavior of this Trojan using the Skype API is as per the specifications of the API. The end-user who is running Skype does get notified that a program is attempting to access it and must acknowledge it. Source: Websense

Here is what F-Secure says about it.

• There is no massive outbreak going on
• There is something spreading on [tag]Skype[/tag], but only in limited numbers
• It is not exploiting a vulnerability in Skype but simply sending chat messages asking you to download and run the infected executable
• There are two different and separate malware samples being talked about relating to this case, confusing things further
• One of them is named “sp.exe”. We received a sample of this yesterday and added detection. This one is connecting to nsdf.no-ip.biz in its attempt to download additional components
• The other one is described in here. This one downloads additional components from marx2.altervista.org, and it’s actually not new at all: we’ve detected it since beginning of October.

Source: F-Secure

So, this puppy will probably start showing up using some other chat programs, and is probably one of many variants to come. As we all know, these guys are getting lazy and just pumping crap out into the internet hoping to snag a few users.

Security Vendors Get First Draft of PatchGuard APIs

Microsoft today released the first draft of their Patchguard APIs that will allow independent security vendors to get around the new kernel protection of Patchguard. They also released an evaluation document that details the processes Microsoft used in evaluating vendor requests for APIs to the Vista, and they are wanting feedback on the feedback criteria as well as the Patchguard API by the end of January 2007.

Today’s draft APIs are based on feedback from 26 security vendors and address four major areas, Fathi said. They include APIs for tamper protection, memory-based controls and image-loading operations. Together, the APIs address a majority of the issues raised by third-party security vendors in discussions over the past few months, Fathi said.

“Over the next few weeks, we will work with them to see if there are any changes that are needed,” he said. “Hopefully, everybody will agree this is the right set of APIs and this is what we will deliver in Vista SP1,” he said. Microsoft also plans to continue to work with vendors in gathering requirements from them and delivering new APIs as needed.

At the same time, however, Microsoft has not changed its position regarding third-party access to the Vista kernel, Fathi said. Some vendors have asked the company to consider allowing qualified security vendors to modify the kernel. They point to the fact that they have been allowed to do so with 32-bit versions of Windows and argue that it should be allowed on 64-bit Vista as well. Source: Computerworld

Security vendors still want to be able to manipulate the kernel, like they have been able to do until the release of Patchguard, but Microsoft says it is key to the prevention of malware such as rootkits, if the security vendors can get around it, then so, one day, will some of the malicious programmers. Some of the vendors like Symantec say Microsoft is hindering their abilities to deliver some features of their software and that they need to be able to manipulate the kernel to use host based intrusion-prevention and tamper protections. I say, just do antivirus, I worked on a pc today that had Symantec Security suite installed, which has a firewall, spyware protection, the intrusion detection and loads of stuff running. Even with all of that, it was still ate up with spyware and crap, and after uninstalling it, the system acted like I had reloaded the operating system, it was that much faster. So, Symantec, MacAfee and whoever else that might be listening, just make good antivirus like we are used to, your software slows down our machines more than the spyware and malware does.

Update Your Zune Firmware, Finally Windows Vista Compatible

Microsoft has released a firmware update, version 1.2, for the Zune Music Player, I have not seen it myself, but according to Zuneboards it speeds the Zune up pretty good.

So you might be asking, does this really help? Can you actually notice a difference in the performance? I’ll be honest with you. Yes. Definitely. After the update, I’ve been playing around with my Zune for a couple of minutes. Usually, I get the lag image (the one with the circling dot things) every time I view pictures. This time, I went through 450 without a single lag. I also noticed an improvement while switching modes, and switching from videos to music. Source: Zuneboards

Definitely sounds like an improvement, hopefully they can get all the little problems fixed and some new features by the time I get mine. Here are the installation instructions from the Microsoft site, pretty simple install.

To install the latest Zune firmware, follow these steps:
1. Install the version of the Zune software that was included with your Zune device.

2. Connect your Zune device to a computer, and then put your Zune device on a stable surface.

Note If the battery in your Zune device is critically low, we recommend that you charge your Zune device before you continue. For more information about how to charge your Zune device, click the following article number to view the article in the Microsoft Knowledge Base:
927348 (http://support.microsoft.com/kb/927348/) How to charge the battery in your Zune device

3. Open the Zune software. You receive a message to update your Zune device. If you do not receive this message, follow these steps: a. Click Options, point to Sync, point to , and then click Check for Zune Device Updates. Source: Microsoft

A person working on the Zune team, Cesar Menendez, posted that this will make the Zune Vista compatible and the rest is mostly plumbing issues, such as the speed increases etc.

Today (Tuesday the 19th of December) we?re issuing a 22 MB update to make [tag]Zune[/tag] compatible with Windows Vista. The update also improves the Zune software installation process, addressing the issues that some of the known issues users reported. Like Jason R said recently ?It is plumbing stuff, but it is stuff customers will notice and appreciate.? So you should install the update, even if you?re not running Vista. Source: Zune Insider

I saw a post on engadget on how theirs froze up, and a few others chimed in, with one saying that it was updated when he reset it to cancel it, so it may just finish the updates well on some machines. So, here’s another of our Zune Tips, upgrade your firmware, hehe.

New Worm, W32.Chatosky, Using Skype to Infect Users

A new worm is spreading it way around the internet using Skype, the first, I believe to use Skype, although I could be wrong, this virus affects all these versions of Windows, Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP. So, pretty much , all of them but the newest and the oldest.

Here is the info Websense has o it,

• users receive messages via Skype Chat to download and run a file
• the filename is called sp.exe
• assuming the file is run it appears to drop and run a password stealing Trojan Horse
• the file also appears to run another set of code that uses Skype to propagate the original file
• the file is packed and has anti-debugging routines (NTKrnl Secure Suite packer)
• the file connects to a remote server for additional code
• the original site has been black holed and is not serving the code anymore
• the number of victims is still TBD
• the original infections appear to be in APAC region (Korea in particular)

Source: Websense

Symantec has more info on their site, and they are calling it W32.Chatosky.

When W32.Chatosky is executed, it performs the following actions:

Searches the registry for the location of the Skype application.

Displays the following message and then exits if it cannot find the registry:

Error!
I could not find Skype !

Executes the Skype application and displays the following message if it finds the registry:

Warning!
Allow this program in skype!

Queries Skype for random users every 3 minutes.

Starts the Skype application and sends the following message to the users:

Check this! Here is where it displays a url containing the worm body.
Source: Symantec

To remove it, disable System Restore (Windows Me/XP), update the virus definitions and run a full system scan.

New Video Support and Review Section – video.tipsdr.com

All right, everyone else is launching their own video component, why not Tips Dr.com? We have added a video section here titled Windows Support Videos, but it is much more than that. Reviews from computer games to console video games, to cell phones, to digital cameras, all kinds of Windows XP help and a bunch of Windows Vista videos, how to setup a wireless router, how to install protection for your iPod, and all kinds of great iPod accessory reviews, software tutorials and much more. If you have any videos that are technology related, please submit them, if you make your own, all the better, as long as they are accurate we will list them, so submit your videos today!

No Risk for Malware Authors

Well, here’s another reason for some of the dirt bags of society to start writing malware, if they are careful, they usually don’t get caught. Not only can they make some good money doing it, they get away with it and continue on, doing the same thing, as these security researchers say, cranking out the quantity, not quality, if such a term can be useful in describing malware.

Over the last six months, the technical creativity of malware has fallen along with the ability to cause massive damage, such as that created by the MyDoom and Sasser worms of years past, wrote Alexander Gostev, senior virus analyst for Kaspersky Lab, in a recent report.

To be sure, some malicious hackers are doing creative work. This year saw some sophisticated phishing attacks, and virus writers have been branching into relatively new areas like instant messaging and social networking sites, noted Christopher Boyd, security research manager for FaceTime Communications. But the trend overall, he said, has been “quantity over quality.”

The increase in the volume of malicious code can be attributed in part to the impunity enjoyed by malware writers, said Eugene Kaspersky, head of antivirus research. Despite efforts by law enforcement agencies to strengthen international cooperation, most malware writers are never punished.

“It’s quite safe for them,” Kaspersky said. “If they are clever enough, there is almost no risk for them at the moment.” Source: InfoWorld

As I have said, again and again, this problem is not going to go away as long as people advertise with the, or, as long as affiliate networks like CJ, Linkshare and others allow this malware to be affiliates in their networks. If merchants won’t do it by themselves, then we, as consumers, need to stop supporting those who do, and stop visiting websites that advertise with them. How do you do that? Download Siteadvisor, it will help you by letting you know if you are on a site with bad ratings in their database. Nice quote there from Malware Killer Chris Boyd aka the Paper Ghost.