Thursday, October 30, 2008

Malware and Trojans via Google search results

Last Wednesday I received a Google alert. My name Martijn van Halen in combination with the company where I work Payvision had a new google alert. I have registered several alerts since it provides me with a way to detect what people write about me or Payvision. Always handy.

This time the alert looked like somebody wrote something about me. But when I clicked I was redirected and confronted with the Antivirus 2009 product. This product had some bad press releases lately since it's a Trojan. It pretends to be good but contains a virus itself. It's a tricky one since it states that your computer might be affected and that they have a cure.

They try to lure you in downloading and executing an exe. Our Forefront client security protects us from this kind of Trojans. But still how it uses a personal approach is very nasty. They crafted a page that would be picked up by Google and hope that you go to their site.

With Forefront threat management gateway it produces the following warning:

So what do you do in such a case?


  1. First I reported the search result with Google. They removed the link from the search result the same day. Good work Google.

  2. The URL's used I pinged to determine the IP. That IP I check with http://www.ripe.net. To find out who own the IP or netblock and mailed the abuse and technical contact.

  3. After that I reported the website via the Internet Explorer Phising filter.

That's more or less I could do. Let's hope it helps other users and that the servers or domains become inactive.


Let me know if you ever experienced such a thing.


Thursday, October 23, 2008

New Microsoft update MS08-067 KB958644

Well, the Microsoft page has been updated.

http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx

Now holds information about a new update MS08-067 KB958644 which affects the server service. An unauthenticated remote attacker could gain control over a Windows Machine. But the server service must be reachable. Normally firewall systems would prevent access to this service from the outside.

However in combination with some Explorer exploits on a web page or email an attacker could try to take over your servers and workstations. Nasty. So if you have your service protected with a firewall which blocks access to the following ports you should be "safe" from direct attack from the outside.

System service name: lanmanserver

Protocol Ports
NetBIOS Datagram Service UDP 138
NetBIOS Name Resolution UDP 137
NetBIOS Session Service TCP 139
SMB TCP 445

source: http://support.microsoft.com/kb/832017


So bottom line. Use a firewall and make sure your workstations are updated and patches applied.

I must say a separate post of Microsoft would have been better now it causes some confusion with the other updates.

Microsoft mystery patch revealed soon

note:updated info here

Today Microsoft has all system administrators and security professionals on alert. This because of a patch that will be released today. Actually in a couple of hours more details will be revealed. The patch is special because it's being released outside of the normal patch Tuesday schedule.

The info will be posted on below link later today.

http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx

Because nearly all Windows version are affected and it's a remote code execution threat one must think that is concerns a service running on normal ports like http, smtp or maybe an ASP.NET threat. But also possible is something with the TCPIP threat which was disclosed a couple of weeks ago. This in combination with proof that it could create a memory leak in a Windows system might be combined with a buffer overflow and code execution.

So everybody in the security business ad dealing with Microsoft Windows products should be on alert. Probably within a few hours after details are released the reverse engineering starts and exploits will likely be released in the wild.

I will add a new post when more information is available. (new post added here)

Let me know what you think.

Tuesday, October 21, 2008

PCI Europe Brussels visit

Today I visited the PCI Europe event in Brussels Belgium. An event aimed at companies that want to know more about PCI DSS compliance or perform a better job at it. It attracts merchants that need to be compliant, PCI DSS solution vendors, QSA security companies and many more.

It's a nice event where you'll learn something new about the PCI compliance everytime. My focus was to learn about solutions that can make my life and that of my colleagues a little easier. This time we arrived rather late because of an accident near Antwerp so we missed the first sessions. I have some nice papers of new solutions we might consider. So from that perspective it was good to be there.

My impression of the event that it's aimed at people who need to be convinced of PCI or are just starting. Not aimed at people that are already compliant and want to go a little more in-depth or technical. That's a miss I must say I'm quite sure there is need for such an event or sessions. We are now in the second year of being compliant and don't need to be convinced about it's need anymore. It has become a business need required by partners, acquiring banks and bigger merchants.

But I must admit each time I go I see more people. Not being compliant or starting. Weird or not? Maybe next year will be different since I expect lot of companies try to be compliant before the end of this year.

Let me know how you think about PCI.

Wednesday, October 15, 2008

Tips: Hyper-V ping issues Windows 2003 server guests

Aside to the normal blog articles I'm adding some tips of things I have encountered myself and helped me a great deal. The first tip is about the Hyper-V role in Windows 2008.

During my play time with Hyper-V I noticed some very strange ping times when pinging to the guests own name . The guest OS was Windows 2003 server R2 with all Hyper-V drivers. After some online research I found that the problem had to do with having multiple CPU's enabled on the guest. When pinging the guest the internal timer got confused and this resulted in the weird values (negative ping times). When ping is not reliable other features like group policy also suffer and generate errors (Event ID: 1054) in the event log.

To resolve this issue you can do the following:
  1. Use Windows 2008 server as guest OS(recommended if possible)
  2. Use only one CPU when Windows 2003 as guest OS is used
  3. Adjust the boot.ini of the Windows 2003 guest and add /usepmtimer to the last line so it looks like:multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /noexecute=optout /fastdetect /usepmtimer
Another Hyper-V tip is to watch for bios updates of your server. During the Hyper-V beta I had a new update for Dell Poweredgde 2950 bios every beta update. And sometimes for the Broadcom NIC's as well.

Hopefully this works for you like it did for me.

Monday, October 6, 2008

Secure Windows Mobile innovation

Working mobile has become a commodity. Accessing email, agenda, files and more is something companies encourage and support since it helps increase productivity and availability of employees. But their is a downside; confidential information, passwords, user names, emails and documents are at risk.

All this information is synced via technology like UMTS/3G, GRPS, WIFI, Blue tooth, USB and more. Copied to the device internal memory or sd-cards. Your information has left the building.

It's important to think about the risks. Some examples:

  • phones are stolen or lost

  • phones are synced with other computers or devices

  • memory card are used with other devices

  • transmission of data could be intercepted

So how do you protect your Microsoft environment against this? I'm glad to tell you Microsoft has done the work for us with Windows Mobile 6.1 and Exchange server 2007.

It's important that the mobile devices have Windows Mobile 6.1 or higher. Why? WM 6.1 supports the security policies forced by ActiveSync and Exchange 2007.

Before the first sync the device upgrades it's security policy. Making possible for sys admins and mobile workers to perform a remote wipe when a phone is stolen or lost. But what happens in the mean time?

Make sure you have configured a password policy in Exchange 2007. Via the Exchange 2007 management console Client Access Exchange ActiveSync Mailbox Polices.



Once the password option has been selected you get the encryption options as well. I suggest using both since this will encrypt the device memory and sd-cards. The password/pin allows access to the sd-card and device memory via active sync.

For environments with extra security needs it's also possible to prevent usage of web cam, blue tooth, wifi, unsigned applications and specific applications.

Together with SSL 128 bit the transmission and storage will be safe. even when the device is stolen. the device will perform a local wipe after so many tries. The remote wipe even has a confirmation message as well. A mobile worker can even remote wipe his/her own device with Outlook Web Access.

So forget about Iphone start caring about you information and give everybody a cool HTC device with Windows Mobile 6.1 or higher. For more options check here

Thanks for reading. Next time we talk about notebooks another great security risk...