I was surprised as I received the news of CC being out of busines from 23rd Dec 2008... This was a very shocking news. I was not in town and was on holidays, but this news calls for a closer look on what actually happened that suddenly CC had to close all their operations... This is what they had to say:
"Greetings Folks,
You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created.With respect to the server marathon, by March 17 2009 CastleCops will refund contributions made through PayPal that were specifically designated for servers. Unfortunately, server donations made via check cannot be returned because we do not have the addresses for the donating entity. Unless instructed otherwise, CastleCops will re-allocate these funds as a donation to the Internet Systems Consortium (ISC.org). This organization sponsored our hosting environment for approximately the past 2 years. Please contact us [cc at laudanski dot com] before March 17, 2009, if you would like a return of your server marathon donation. Otherwise, we would like to thank the ISC for their unfettered support.We thank everyone in creating our unique footprint and memories in time.
Love, Best Wishes and Happy Holidays,
CastleCops
PST 23 Dec 2008"
Its known that Paul had taken a full time job with Microsoft (http://www.geek.com/articles/microsoft/castlecops-paul-laudanski-accepts-job-at-microsoft-20080613/) and had settled in Redmond. Even they had problems funding the infrastructure and were also being targeted by the SPAMMERS but closing down on CC... this was absolutely unexpected...
I will try to dig a little more deep into what happened actually, once I come back fro my holidays...
Neways... Thanks a lot Paul & Robin and Thanks CC for being there all these years... we all do carry a lot of good memories...
Monday, December 29, 2008
Wednesday, December 24, 2008
Tuesday, December 23, 2008
Microsoft Security Advisory (961040)
Vulnerability in SQL Server Could Allow Remote Code Execution
Published: December 22, 2008
URL: http://www.microsoft.com/technet/security/advisory/961040.mspx
Yesterday Microsoft has released yet another Security Advisory (961040) that describes a vulnerability in SQL Server which could allow Remote Code Execution. According to the Security Advisory, there are risks of a remote attack if:
1: An application that uses one of the affected Microsoft SQL Server software (see below) has SQL Injection Vulnerability
2: During the installation of MSDE 2000 or SQL Server 2005 Express, Accept Remote Connection is enabled
3: Untrusted users allowed access to MSDE 2000 or SQL Server 2005 Express
It has also been pointed out that code for exploiting the said vulnerability is out in the wild and Microsoft is investigating further on this vulnerability. They are yet to come up with a Security Bulletin and patch for this issue, however, they have mentioned a few workarounds. Although the workarounds mentioned will bot remove the underlying vulnerabilities, but it will help to mitigate the attack vectors considerably (see below). Please follow the above Security Advisory URL for details about workaround or you may use the Script from the below KB article to apply the workaround:
http://support.microsoft.com/kb/961040
Other useful information:
Affected Microsoft SQL Server Software:
Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon)
Unaffected Microsoft SQL Server Software:
Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008. This is because, by default, Microsoft SQL Server Desktop Engine 2000 (MSDE 2000) and SQL Server 2005 Express do not allow remote connections so the attackers would have to already have local access to machines running MSDE 2000 and SQL Server 2005 Express to exploit this vulnerability.
Threat Mitigating Factors:
> This issue does not affect supported editions of Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008
> This vulnerability is not exposed anonymously. An attacker would need to either authenticate to exploit the vulnerability or take advantage of a SQL injection vulnerability in a Web application that is able to authenticate
> By default, MSDE 2000 and SQL Server 2005 Express do not allow remote connections. An authenticated attacker would need to initiate the attack locally to exploit the vulnerability
Published: December 22, 2008
URL: http://www.microsoft.com/technet/security/advisory/961040.mspx
Yesterday Microsoft has released yet another Security Advisory (961040) that describes a vulnerability in SQL Server which could allow Remote Code Execution. According to the Security Advisory, there are risks of a remote attack if:
1: An application that uses one of the affected Microsoft SQL Server software (see below) has SQL Injection Vulnerability
2: During the installation of MSDE 2000 or SQL Server 2005 Express, Accept Remote Connection is enabled
3: Untrusted users allowed access to MSDE 2000 or SQL Server 2005 Express
It has also been pointed out that code for exploiting the said vulnerability is out in the wild and Microsoft is investigating further on this vulnerability. They are yet to come up with a Security Bulletin and patch for this issue, however, they have mentioned a few workarounds. Although the workarounds mentioned will bot remove the underlying vulnerabilities, but it will help to mitigate the attack vectors considerably (see below). Please follow the above Security Advisory URL for details about workaround or you may use the Script from the below KB article to apply the workaround:
http://support.microsoft.com/kb/961040
Other useful information:
Affected Microsoft SQL Server Software:
Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon)
Unaffected Microsoft SQL Server Software:
Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008. This is because, by default, Microsoft SQL Server Desktop Engine 2000 (MSDE 2000) and SQL Server 2005 Express do not allow remote connections so the attackers would have to already have local access to machines running MSDE 2000 and SQL Server 2005 Express to exploit this vulnerability.
Threat Mitigating Factors:
> This issue does not affect supported editions of Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008
> This vulnerability is not exposed anonymously. An attacker would need to either authenticate to exploit the vulnerability or take advantage of a SQL injection vulnerability in a Web application that is able to authenticate
> By default, MSDE 2000 and SQL Server 2005 Express do not allow remote connections. An authenticated attacker would need to initiate the attack locally to exploit the vulnerability
Thursday, December 18, 2008
Microsoft Security Bulletin MS08-078
Microsoft Security Advisory (961051)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Published: December 10, 2008 | Updated: December 17, 2008
Microsoft has completed the investigation into a public report of this vulnerability. They have issued the Security Bulletin MS08-078 - Critical. The vulnerability addressed is the Pointer Reference Memory Corruption Vulnerability -Microsoft Security Advisory (961051).
Microsoft Security Bulletin MS08-078 - Critical
Security Update for Internet Explorer (960714)
Published: December 17, 2008
http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx
Microsoft recommends that customers apply the update immediately.
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Published: December 10, 2008 | Updated: December 17, 2008
Microsoft has completed the investigation into a public report of this vulnerability. They have issued the Security Bulletin MS08-078 - Critical. The vulnerability addressed is the Pointer Reference Memory Corruption Vulnerability -Microsoft Security Advisory (961051).
Microsoft Security Bulletin MS08-078 - Critical
Security Update for Internet Explorer (960714)
Published: December 17, 2008
http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx
| SECURITY BULLETIN TECHNICAL DETAILS | |||||||||||||||||
| Identifier | MS08-078 | | | | | | | | | | | | | | | | |
| Severity Rating | This security update is rated Critical for Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 SP1, and Internet Explorer 7. | | | | | | | | | | | | | | | | |
| Impact of Vulnerability | Remote Code Execution | | | | | | | | | | | | | | | | |
| Detection | Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. | | | | | | | | | | | | | | | | |
| Affected Software | Internet Explorer 5.01 (Windows 2000), Internet Explorer 6 (Windows 2000), Internet Explorer 6 SP1 (Windows XP and Windows Server 2003), and Internet Explorer 7 (Windows XP, Windows Server 2003, Windows | | | | | | | | | | | | | | | | |
| Restart Requirement | The update will require a restart only if the required files are being used. If this occurs, a message appears that advises you to restart. | | | | | | | | | | | | | | | | |
| Removal Information | . For Windows 2000, Windows XP, Windows Server 2003: Use Add or Remove Programs tool in Control Panel or the Spuninst.exe utility
| | | | | | | | | | | | | | | | |
| Bulletins Replaced by This Update | None. | | | | | | | | | | | | | | | | |
| Full Details: | http://www.microsoft.com/ | | | | | | | | | | | | | | | | |
Microsoft recommends that customers apply the update immediately.
Wednesday, December 17, 2008
Microsoft Security Advisory 961051
New exploitable Internet Explorer Vulnerability is letting websites having exploits to gain control of the system with the priviledges of the existing user. Till now the vulnerability has been exploited and attacks has been carried out against Windows Internet Explorer 7 only. However these attacks can also be targeted towards Windows Internet Explorer on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008. Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows.
The Security Advisory 961051 describes the vulnerability:
"The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable"
The attack may be carried out by hacking a legitimate site by doing SQL Injection and loading the exploit code. Users visiting these sites are attacked and the vulnerability is exploited. Once the vulnerability is exploited and the attack is successful, the exploit may also drop some Trojan in the system. Since the Vulnerability was made public on December 10 2008, it has roughly been exploited in 0.2% of the users using Windows Internet Explorer 7.
These attacks are coming mainly from pornography sites as these sites are knowingly or unknowingly hosting the exploit code in them. A vast majority or a large number of the sites initiating the attack are hosted in Chinese domains. As per Microsofts observation, attacks have been detected from a lot of countries. Refer to the chart below (Ref: MMPC Blog)
The Security Advisory 961051 describes the vulnerability:
"The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable"
The attack may be carried out by hacking a legitimate site by doing SQL Injection and loading the exploit code. Users visiting these sites are attacked and the vulnerability is exploited. Once the vulnerability is exploited and the attack is successful, the exploit may also drop some Trojan in the system. Since the Vulnerability was made public on December 10 2008, it has roughly been exploited in 0.2% of the users using Windows Internet Explorer 7.
These attacks are coming mainly from pornography sites as these sites are knowingly or unknowingly hosting the exploit code in them. A vast majority or a large number of the sites initiating the attack are hosted in Chinese domains. As per Microsofts observation, attacks have been detected from a lot of countries. Refer to the chart below (Ref: MMPC Blog)
Microsoft is still researching on the isue and just like the Microsoft Security Bulletin MS08-067 which was released as a out-of-band security bulletin, Microsoft will also come out with a same for this Vulnerability as well. However, till that time a work around has been published in the Security Advisory. Refer to the link below:
http://support.microsoft.com/kb/961051You can refer to further details from the below links:
http://www.microsoft.com/technet/security/advisory/961051.mspx
http://support.microsoft.com/kb/961051
http://blogs.technet.com/mmpc
EDITED:
Chinese security researcher group as "Knownsec" mistakenly released the code of the exploit
The vulnerability was first revealed earlier this week by the Chinese security team "knownsec". They said on December 9th 2008 that they have mistakenly released exploit code thinking that the problem was already patched. Microsoft has acknowledged the issue and released a out-of-band Security Advisory on December 10th 2008, however they have not intimated when they will release a patch for this existing Vulnerability.
Meanwhile, the Chinese Team has acknowledged their mistake in their blog saying " This is our mistake :( "
Meanwhile, the Chinese Team has acknowledged their mistake in their blog saying " This is our mistake :( "
Chinese:
http://www.scanw.com/blog/archives/303
English:
http://translate.google.com/translate?hl=en&u=http%3A%2F%2Fwww.scanw.com%2Fblog%2Farchives%2F303&sl=zh-CN&tl=en
Microsoft is about to release patches for this Vulnerability, although, according to some unofficial sources, we may have to wait until Jan. 13th 2009 for an official patch release. However, they could opt to do an emergency release as well.
Adding spice to the mater, iDefense, the computer security branch of VeriSign, has revealed that the code was traded for as much as US$15,000 on the underground criminal markets. Information on the vulnerability was allegedly sold in November on the underground back market for US$15,000. Earlier this month, the exploit was sold second or third hand for $650, said iDefense. This gives ample time to the Malware Authors to further exploit the existing unpatched Vulnerability.
Adding spice to the mater, iDefense, the computer security branch of VeriSign, has revealed that the code was traded for as much as US$15,000 on the underground criminal markets. Information on the vulnerability was allegedly sold in November on the underground back market for US$15,000. Earlier this month, the exploit was sold second or third hand for $650, said iDefense. This gives ample time to the Malware Authors to further exploit the existing unpatched Vulnerability.
MalwareInfo.Org Joins EvilFingers Community
Today MalwareInfo.Org has officially joined the EvilFingers Information Security Community. MalwareInfo.Org has joined EvilFingers Community as their "Research Partners" in the Malware Analysis domain.
You can read further about this alliance in their blog post as well:
http://evilfingers.blogspot.com/2008/12/malwareinfoorg-evilfingerscom-are-now.html
The Mission Statement of EvilFingers Community states very clearly about its existance:
"EvilFingers aims at uniting different pieces of information into one unanimous framework, where everything is mapped to everything else. This approach helps analysts, engineers, consultants and the management to understand the meaningful relationships between different parts of Information Security that could be lost if it remains untouched. Security has been there for several thousand years and yet when humans try deploying the same in different forms, there are several possibilities of misinterpretations that make it even harder to attain complete security. Our mission that we have chosen is to bring in as many resources as possible into one single roof to help this community"
Its a community of responsible Information Security Professionals (EF Members) who strive to make the world a little more safer.
You can read further about this alliance in their blog post as well:http://evilfingers.blogspot.com/2008/12/malwareinfoorg-evilfingerscom-are-now.html
The Mission Statement of EvilFingers Community states very clearly about its existance:
"EvilFingers aims at uniting different pieces of information into one unanimous framework, where everything is mapped to everything else. This approach helps analysts, engineers, consultants and the management to understand the meaningful relationships between different parts of Information Security that could be lost if it remains untouched. Security has been there for several thousand years and yet when humans try deploying the same in different forms, there are several possibilities of misinterpretations that make it even harder to attain complete security. Our mission that we have chosen is to bring in as many resources as possible into one single roof to help this community"
Its a community of responsible Information Security Professionals (EF Members) who strive to make the world a little more safer.
Wednesday, December 10, 2008
Device Manager may not show any devices after XP SP3 Installation
This is just a FYI Post...
Sometimes it may happen that after the installation of Windows XP SP3, Device Manager may not show any devices / Network Connections may not show any network connections / Opening Services.Msc from START > RUN will give an "Access Denied" error.
Why the problem happens?
This problem may occur when an antivirus application is running during the installation of Windows XP SP3. When the Fixccs.exe process is called during the Windows XP SP3 installation, it creates some intermediate registry subkeys which it later deletes. In some cases, the antivirus applications may not let the Fixccs.exe process delete these intermediate registry subkeys.
There is a hotfix from Microsoft that may resolve the issue. The KB number is KB953979
Download the hotfix from the below link:
http://www.microsoft.com/downloads/details.aspx?FamilyId=6ADAF000-E2AA-4EAF-81F4-6AF385768280
How to apply the hotfix?
1. Download the hotfix package.
2. Restart the computer in Safe Mode.
3. Extract the hotfix that you downloaded.
4. Locate and double-click the Fixccs.exe file. A Command Prompt window opens, and the necessary tasks are performed. The Command Prompt window closes automatically after all tasks are completed.
5. When the necessary tasks are completed, restart the computer in normal mode.
Sometimes it may happen that after the installation of Windows XP SP3, Device Manager may not show any devices / Network Connections may not show any network connections / Opening Services.Msc from START > RUN will give an "Access Denied" error.
Why the problem happens?
This problem may occur when an antivirus application is running during the installation of Windows XP SP3. When the Fixccs.exe process is called during the Windows XP SP3 installation, it creates some intermediate registry subkeys which it later deletes. In some cases, the antivirus applications may not let the Fixccs.exe process delete these intermediate registry subkeys.
There is a hotfix from Microsoft that may resolve the issue. The KB number is KB953979
Download the hotfix from the below link:
http://www.microsoft.com/downloads/details.aspx?FamilyId=6ADAF000-E2AA-4EAF-81F4-6AF385768280
How to apply the hotfix?
1. Download the hotfix package.
2. Restart the computer in Safe Mode.
3. Extract the hotfix that you downloaded.
4. Locate and double-click the Fixccs.exe file. A Command Prompt window opens, and the necessary tasks are performed. The Command Prompt window closes automatically after all tasks are completed.
5. When the necessary tasks are completed, restart the computer in normal mode.
Tuesday, December 9, 2008
MS08-067 & New Viruses - MIRT Discussion @ CC
In response to the previous post -> " Trojan.Gimmiv.A / W32.Wecorl / W32.Downadup & MS08-067 " which was also posted in MIRT Discussion of CastleCops, I have received a wonderful response from "tacktick" (MIRT Hunter Premium Member).
The reply is posted below:
---------------------
That is possible, but probably not the case this time.
I quote from Microsoft:
Quote:
Today Microsoft released a security update that fixes a remote code execution vulnerability in the Windows Server Service. This is a serious vulnerability and we have seen targeted attacks using this vulnerability to compromise fully-patched Windows XP and Windows Server 2003 computers so we have released the fix "out of band" (not on the regular Patch Tuesday).
Which means the exploit code is out there already.
More info here:
http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx
It is an extremely relevant discussion though on how to reduce patch-based exploit generation. That would have to be taken up by the software vendor itself.(In this case Microsoft).
Here is an interesting post by SANS ISC on the subject:
http://isc.sans.org/diary.html?storyid=4381&rss
---------------------
Refer to the actual MIRT Discussion @ CastleCops:
http://www.castlecops.com/p1120069-.html#1120069
The reply is posted below:
---------------------
That is possible, but probably not the case this time.
I quote from Microsoft:
Quote:
Today Microsoft released a security update that fixes a remote code execution vulnerability in the Windows Server Service. This is a serious vulnerability and we have seen targeted attacks using this vulnerability to compromise fully-patched Windows XP and Windows Server 2003 computers so we have released the fix "out of band" (not on the regular Patch Tuesday).
Which means the exploit code is out there already.
More info here:
http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx
It is an extremely relevant discussion though on how to reduce patch-based exploit generation. That would have to be taken up by the software vendor itself.(In this case Microsoft).
Here is an interesting post by SANS ISC on the subject:
http://isc.sans.org/diary.html?storyid=4381&rss
---------------------
Refer to the actual MIRT Discussion @ CastleCops:
http://www.castlecops.com/p1120069-.html#1120069
Thursday, December 4, 2008
I Hate USB Infections...
Enough is enough... these are bugging me off late. I hate these crappy USB Malwares...
What am i talking about??
Ok... Off late there has been a sharp rise in the number of Malwares that spread through USB Mass Storage devices. The moment you plug in the USB Removable device and try to access it you might probably get infected.
How??
Well... why do we use these USB Removable drives on the first place? Portability!! yes, its pretty obvious that you will carry data to and from your system to other systems using these drives. There are times that those systems are infected with these crude Malwares that spread through USB Removable devices. So, whenever we access the USB Removable drive, the Malware (if the system where you have plugged it in is infected) copies itself to that USB drive and ensures that the actual Malware binary will execute itself every time, whenever this USB drive is accessed. It does so by making changes in the infamous "autorun.inf". So whenever this USB drive is accessed, the autorun.inf calls the Malware binary so that the system from also gets infected.
This autorun feature enables CDs to play automatically when inserted in the drive. Removable USB drives use the same autorun option to load files when the drives are plugged. It is this option in windows that these Malware creators are using for their own benefit. These USB borne Malwares are on the rise and everyday new variants are coming out and infecting a lot of systems.
Now, keeping in mind the number of new variants that are coming out on almost a daily basis, it has become crucial to post this writeup so that everyone can know what has to be done to keep themselves safe as well.
Method 1: Registry File -
Cut the below text in a notepad and save it as.REG and double click it. When asked if you want to import the registry settings, choose 'Yes'. This will disable the Autorun on all drives except the CD Drive.
---- Begin Copy ----
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000df
---- End Copy ----
Explanation of the above registry snippet:
The binary value (8 digits) represent 8 kinds of drives (floppy, CD/DVD ROM, removable…). 1 = don't allow autorun, 0 = allow autorun, CD/DVD ROM is third from the left, therefore 11011111 (bin) = df (hex) = allow autorun only for CD/DVD ROM. Consequently 11111111 (ff) = forbid autorun for all type of drives.
Method 2: Group Policy -
Apply Group Policy locally or in your domain.
> Click Start and then click Run
> Type gpedit.msc and click OK
> The Group Policy window will open. In the left pane, double-click Administrative Templates
> In the right pane, double-click System
> Scroll down the list and double-click Turn Off Autoplay
> In the Turn Off Autoplay Properties window, select Enabled. From the dropdown next to Turn Off Autoplay on, select All drives and then click OK
> Exit Group Policy by selecting File, then choosing Exit from the menu.
Hope these methods help...
What am i talking about??
Ok... Off late there has been a sharp rise in the number of Malwares that spread through USB Mass Storage devices. The moment you plug in the USB Removable device and try to access it you might probably get infected.
How??
Well... why do we use these USB Removable drives on the first place? Portability!! yes, its pretty obvious that you will carry data to and from your system to other systems using these drives. There are times that those systems are infected with these crude Malwares that spread through USB Removable devices. So, whenever we access the USB Removable drive, the Malware (if the system where you have plugged it in is infected) copies itself to that USB drive and ensures that the actual Malware binary will execute itself every time, whenever this USB drive is accessed. It does so by making changes in the infamous "autorun.inf". So whenever this USB drive is accessed, the autorun.inf calls the Malware binary so that the system from also gets infected.
This autorun feature enables CDs to play automatically when inserted in the drive. Removable USB drives use the same autorun option to load files when the drives are plugged. It is this option in windows that these Malware creators are using for their own benefit. These USB borne Malwares are on the rise and everyday new variants are coming out and infecting a lot of systems.
Now, keeping in mind the number of new variants that are coming out on almost a daily basis, it has become crucial to post this writeup so that everyone can know what has to be done to keep themselves safe as well.
Method 1: Registry File -
Cut the below text in a notepad and save it as
---- Begin Copy ----
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000df
---- End Copy ----
Explanation of the above registry snippet:
The binary value (8 digits) represent 8 kinds of drives (floppy, CD/DVD ROM, removable…). 1 = don't allow autorun, 0 = allow autorun, CD/DVD ROM is third from the left, therefore 11011111 (bin) = df (hex) = allow autorun only for CD/DVD ROM. Consequently 11111111 (ff) = forbid autorun for all type of drives.
Method 2: Group Policy -
Apply Group Policy locally or in your domain.
> Click Start and then click Run
> Type gpedit.msc and click OK
> The Group Policy window will open. In the left pane, double-click Administrative Templates
> In the right pane, double-click System
> Scroll down the list and double-click Turn Off Autoplay
> In the Turn Off Autoplay Properties window, select Enabled. From the dropdown next to Turn Off Autoplay on, select All drives and then click OK
> Exit Group Policy by selecting File, then choosing Exit from the menu.
Hope these methods help...
Wednesday, December 3, 2008
Norton Insight - (Project name: SAPHIRE or “Scan less by Avoiding Proven High Incident Recurring Entities”)
Taken from Norton Protection Blog – write-up by: Kunal Karandikar and Pieter Viljoen
With a quest to find out solutions on how to reduce the overall system performance impact caused by the security products Symantec’s engineering team brainstormed over the last few years. It was pretty evident that one of the basic contributors to performance slowdown is file based scanning. With this in mind, they were looking for technologies that eliminate scanning altogether. This is where Norton Insight was born. Its initial project name was SAPHIRE, which stands for “Scan less by Avoiding Proven High Incident Recurring Entities.”
Norton Insight Technology:
Norton Insight catalogs interesting files on the system, and assigns a SHA256 value to the file. A secure connection is established from the client to the Norton Insight backend system. The client provides the backend with the SHA256 value of the file and a lookup is performed in the backend database. If a match is found, the trust attributes associated with the file are returned to the client. The client then assigns the trust attributes to the file.
Improvements:
Norton Insight will reduce system performance issues in the following ways:
· By eliminating all security evaluations on trusted files, frequently accessed files, and commonly used applications running unconstrained, the overall system performance and responsiveness is greatly improved.
· By not scanning trusted drivers, services, and startup applications as they are loaded and executed during the startup sequence, startup and shutdown times are decreased.
· By not scanning trusted applications as they are launched, application startup times are shorter as well.
· By not scanning trusted files during quick or full system scans, scan times are shorter.
To read the complete article, please visit the link below:
Microsoft Security Intelligence Report Summary (Volume 5)
SIR Published: 11/14/2008
(These are excerpts taken from the Microsoft Security Intelligence Report - Vol 5. Here we are putting only the findings about the Malwares Trends)
Malware - Global Trends
Microsoft security products gather, with user consent, data from hundreds of millions of computer systems worldwide and from some of the Internet’s busiest online services. The analysis of this data gives a comprehensive and unique perspective on malware activity around the world.
As a general rule, infection rates tend to be higher in developing countries/regions than in developed countries/regions, as reported by the Malicious Software Removal Tool (MSRT). The following map illustrates the infection rates of locations around the world.
Malwares Cleaned
The total amount of malware and potentially unwanted software removed from computers worldwide increased more than 43%.
Patterns of malware detected and removed by Microsoft security products varied across countries and regions; however, Trojan downloaders and droppers constituted more than 30% of all malware removed by Microsoft security products worldwide.
Infection data gathered from some of the most populous regions around the world by several Microsoft security products demonstrates the highly localized nature of malware and potentially unwanted software. The following figure shows the relative prevalence of different categories of malware and potentially unwanted software in different regions in 1H08, expressed as a percentage of the total number of computers cleaned in each region.
Malware Infection By OS
The infection rate for Windows Vista is significantly lower than that of its predecessor, Windows XP, at any service pack level.
The infection rates for the 64-bit editions of Windows Vista were both lower than those of their 32-bit counterparts.
For each version of the operating system, the higher the service pack level, the lower the rate of infection. This trend can be observed consistently across client and server operating systems half-year period over half-year period.
Service packs include fixes for all security vulnerabilities fixed in security updates at the time of issue, and sometimes they include additional security features and/or changes to default settings that help to protect users.
Server versions of Windows typically display a lower infection rate, on average, than client versions, especially when comparing the latest service pack version for each operating system.
Reference:
http://www.microsoft.com/downloads/details.aspx?FamilyID=b2984562-47a2-48ff-890c-edbeb8a0764c&DisplayLang=en
(These are excerpts taken from the Microsoft Security Intelligence Report - Vol 5. Here we are putting only the findings about the Malwares Trends)
Malware - Global Trends
Microsoft security products gather, with user consent, data from hundreds of millions of computer systems worldwide and from some of the Internet’s busiest online services. The analysis of this data gives a comprehensive and unique perspective on malware activity around the world.
As a general rule, infection rates tend to be higher in developing countries/regions than in developed countries/regions, as reported by the Malicious Software Removal Tool (MSRT). The following map illustrates the infection rates of locations around the world.
Malwares Cleaned
The total amount of malware and potentially unwanted software removed from computers worldwide increased more than 43%.
Patterns of malware detected and removed by Microsoft security products varied across countries and regions; however, Trojan downloaders and droppers constituted more than 30% of all malware removed by Microsoft security products worldwide.
Infection data gathered from some of the most populous regions around the world by several Microsoft security products demonstrates the highly localized nature of malware and potentially unwanted software. The following figure shows the relative prevalence of different categories of malware and potentially unwanted software in different regions in 1H08, expressed as a percentage of the total number of computers cleaned in each region.
Malware Infection By OSThe infection rate for Windows Vista is significantly lower than that of its predecessor, Windows XP, at any service pack level.
The infection rates for the 64-bit editions of Windows Vista were both lower than those of their 32-bit counterparts.
For each version of the operating system, the higher the service pack level, the lower the rate of infection. This trend can be observed consistently across client and server operating systems half-year period over half-year period.
Service packs include fixes for all security vulnerabilities fixed in security updates at the time of issue, and sometimes they include additional security features and/or changes to default settings that help to protect users.
Server versions of Windows typically display a lower infection rate, on average, than client versions, especially when comparing the latest service pack version for each operating system.
Reference:
http://www.microsoft.com/downloads/details.aspx?FamilyID=b2984562-47a2-48ff-890c-edbeb8a0764c&DisplayLang=en
Tuesday, December 2, 2008
Trojan.Gimmiv.A / W32.Wecorl / W32.Downadup & MS08-067
Introduction:
The SERVER Service in Microsoft Windows 2000, Windows XP, and Windows Server 2003 can allow an attacker to carry out buffer overflow via a crafted RPC request. If this vulnerability is exploited successfully, the attacker can execute arbitrary code with SYSTEM level privileges, which in turn can lead to complete compromise of the system involved.
This vulnerability can also be referred to with CVE-2008-4250. This is a CRITICAL Server Service Vulnerability and it has already been exploited by Trojan.Gimmiv.A / W32.Wecorl / W32.Downadup.
Exploitation:
The following PROOF OF CONCEPT exploit and code is available from Security Focus (http://www.securityfocus.com):
http://www.securityfocus.com/data/vulnerabilities/exploits/31874.zip
http://www.securityfocus.com/data/vulnerabilities/exploits/31874.c
http://www.securityfocus.com/data/vulnerabilities/exploits/31874.py
Malwares:
This vulnerability discovered a couple of weeks before as part of the research activity on possible Malware exploitation of Windows XP. Once it was felt that the vulnerability that existed with the SERVER Service was “WORMABLE”, on
Trojan.Gimmiv.A was discovered on
http://www.symantec.com/en/ph/enterprise/security_response/writeup.jsp?docid=2008-102320-3122-99
W32.Wecorl was discovered on
http://www.symantec.com/security_response/writeup.jsp?docid=2008-110306-2212-99
W32.Downadup was discovered on
http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99
Solution:
Microsoft has come up with a security bulletin for the problem and it can be referenced from the URL: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Reference:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
http://blogs.technet.com/msrc/archive/2008/10/23/ms08-067-released.aspx
http://www.securityfocus.com/bid/31874/info
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
http://www.microsoft.com/security/portal/Entry.aspx?name=Exploit%3aWin32%2fMS08067.gen!A
Subscribe to:
Posts (Atom)