Zero-Day vulnerability in Adobe products enables takeover of system

Looks like there is a new vulnerability out that affects Adobe Flash, Player and Acrobat reader. Exploit is out on the Internet. Attackers are able to take over your system if you open up infected files (flash, PDF etc).

From this Adobe advisory:

A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat.

There is no fix yet. Stay tuned.

Facebook “Un Named App” scare leads to malware

Excellent write up by Trendmicro on the ‘un named app’ discussion that is spreading on Facebook. If you search Google for this, you may be tricked into downloading Malware to your machine and get compromised.

Here is the article.

[…] Nothing to worry about here as far as your Facebook is concerned, this does not appear to be a genuine malicious app. In fact a thread on Yahoo answers appears to demonstrate in a reproducible fashion that “Un named App” is nothing more than your “Boxes” tab on your Facebook profile page.

Beware though, there is still real risk attached to this Chinese whisper. Criminals have picked up on the concern among Facebook users (or possibly they were responsible for starting the rumour?) and they have already started to poison Google search results.

Google search result:

Google search result

I queried Google for “facebook unnamed app” and the third result on the first page pointed to a malicious website set up for the purposes of distributing fake anti-virus software, this time called “Security Tool”. If you are unwary enough to click the link you will be presented with a dialogue box informing you that you have a huge number of infected files on your machine and prompting you to use Security Tool to clean them up. The software of course is no real security solution and is designed to fool the victim into parting with hard-earned cash.

Be careful what you surf for.

How to secure your Windows machine.

A recent statistic I read stated that over 70% (SEVENTY PERCENT) of new infections come from surfing to legitimate sites that are infected. A recent case was the New York Times (full story here):

Here’s a front-page story the New York Times (NYT) would rather not be running: The paper is warning readers to be aware of bogus ads running on its Web site. The paper says “some readers” have seen unauthorized pop-up ads promoting antivirus software on NYTimes.com, and warns visitors who see the ad not to click on it but to restart their browsers instead. While the Times doesn’t spell this out, the newspaper has likely had its site hijacked by a “malware” scammer who is trying to trick visitors into installing pernicious software onto their hard drives

Thus, to get infected, it is perfectly enough to just hit your legitimate web sites. You do not have to browse to any questionable content anymore to get compromised.

In light of this, lots of people have been asking me what in my opinion is to reliably secure a Windows machine and protect it from the threats that are out there – viruses, worms, trojans, etc.

I recommend multiple layers of defense to be setup on a Windows machine. Below items are listed in order of importance, highest listed first.

1. Keep your Windows machine current with the latest patches.
Ensure that Windows Update is turned on and configured to automatically download and install patches. Make sure that when you put your machine into standby mode (instead of turning it off every day), that you pay attention to whether patches need to be installed and the machine need to be rebooted. I encounter a lot of installations that never get turned off, where the patches never get installed (although they are downloaded and ready to go).

2. Install a Anti-virus scanner.
This can be one of the big names out there: AVG (free), Norton, Trend Micro, McAfee. Get one of their package offerings that include phishing protection, link scanning, encrypted password storage. DO NOT BELIEVE that this is the only thing you need. Although they want to make you think that this is all you ever need, it is not true. Even the best AV scanners cannot keep up with the ever-changing strains of viruses that are out there (strains change hundreds or even thousands of times a day), therefore you need to have multiple layers of scanners to get a higher rate of protection.

Make sure that the ‘auto-protect’ features are turned on, i.e. the AV scanner runs ‘resident’ in memory. That means that live protection is turned on and viruses do not make it through.

IMPORTANT: YOU STILL NEED TO DO WEEKLY FULL SYSTEM SCANS.

Some people believe that they can leave auto-protect on but never scan their systems. The caveat with this is that auto-protect may miss a new strain of a virus and let it through. While the signatures get updated, auto-protect never detects it.

Therefore, a scan then may find it, but you need to make sure to run these scans.

Product-wise, I have been using Norton Internet Security for a long time, but I will let the license expire and try out a different AV scanner next year. Norton has disappointed me recently with the failure rate it has, i.e. viruses that do not get caught by it. Ideally, you use at least 2 different virus scanners, but this may get costly if you are looking to purchase solutions.

I am currently trying out the new Microsoft Essentials ‘AV and Malware’ scanner that was released on 9/30/09. I believe that AV and Malware protection should be free and included in a Operating System, but the MS AV scanner still may need some tuning to be comparable to any $$- solution.

3. Install a separate Malware scanner. This is important.

You NEED to have a backup scanner to whatever AV solution you are using. This increases the rate of detection and your total exposure significantly.

I recommend Malwarebytes’ Anti-Malware for this. It has worked well for me. There is a freeware and a commercial version for it. The major difference between the freeware and the paid version is that in the free version you have to run manual scans and it does not run in the background protecting you from new threats. I recommend you spend the $25 and purchase it. It is worth it. The interface is simple and structured in a no-nonsense kind of way, focusing on scanning, updating its database and showing you results of the last scans.

If you do not want to shell out the money to buy the full version, I recommend you use the Windows Task Scheduler to run this software daily to update the database and at least weekly to do a full scan of your system. It supports command-line arguments. Shoot me an email at info (AT) gansec.com if you want to have instructions on how to do that.

4. Install Secunia Personal Inspector to keep your applications up to date

Install Secunia PSI to keep your third party applications (Adobe PDF Reader, Flash Player, Shockwave, Real Audio Player, any other stuff you use besides Microsoft Software) current. It scans your system and matches it up with an always current database of new versions for the applications you use. It is an extremely handy tool that you will not want to miss once you get used to it. You would not believe how many third party applications can severely compromise your system security if exploits are used against vulnerabilities that they have (example). Secunia PSI is Freeware.

5. Install a firewall on your Windows machine.

This usually comes with Windows (Windows Firewall) or with one of the ‘Internet Suites’ of the commercial AV vendors. This is to block annoying connection attempts, Malware that tries to communicate outbound across other ports than your standard web port (80), potential inbound hacking attempts. Make sure it is enabled. When you first enable a firewall you may have to permit standard ports (e.g. outbound Web for iexplore.exe, firefox.exe, etc), but this will settle down after the initial turn-up. Yes, it is extra work, but you need to invest it.

6. Keep backups.

Keep backups of your Windows installation. You can burn the data on DVDs or external storage solutions. If you would like to look into external storage (especially important if you own a small business), I recommend Netgears’ ReadyNAS storage solution: About $1K for a fully redundant 1 TeraByte of storage. It is extremely trivial to setup (takes about 10 minutes to configure it to be ready for backups from the time you turn it on). Data will not be lost on this one.

These are 6 simple steps to get going on Windows Security. It takes some work to get there, but believe me, it beats the ‘man, my system is lost because of infections, I lost my documents, my bank account information got stolen and people write checks in my name via my Online-Banking access‘ by far.

– Sven Olensky.

Vulnerability in Adobe Reader and Flash Player – remote break-ins possible

Be careful when you use Flash Player to watch videos on the Internet or in your E-mail; also don’t open PDF files from unknown sources. There is currently an exploit in the wild that makes use of a new vulnerability, which essentially can result in an attacker taking over your system. There is currently no patch for this; Adobe is working hard to get one out next week. Until then, be cautious!

See the details on Adobe’s site: 
http://www.adobe.com/support/security/advisories/apsa09-03.html

[…] A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows.
[…]
We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by July 31, 2009 […] Flash Player users should exercise caution in browsing untrusted websites. Adobe is in contact with Antivirus and Security vendors regarding the issue and recommend users keep their anti-virus definitions up to date.

Conficker, week late, activated now

Conficker.C woke up recently. It can now also be referred to as Conficker.D / Conficker/D, Downadup.E, Downadup/D. It downloaded an update that most likely contains a key logger and other good stuff.

This Trend Micro article states:

Days after the April 1st activation date of Conficker, nothing interesting was seen so far in our Downad/Conficker monitoring system except the continuous checking of dates and times via Internet sites, checking of updates via HTTP, and the increasing P2P communications from the Conficker peer nodes.

Well that was until last night when we saw a new file (119,296 bytes) in the Windows Temp folder. Checking on the file properties reveals that the file was created exactly on April 7, 2009 at 07:41:21.

There may be some web traffic to a certain site, http://goodnewsdigital(dot)com, and some sites recommend blocking it, but this is difficult, as the Internet addresses that this site points to changes with every look up!

Best way of dealing with this: update your signatures of whatever Anti-Virus installation you have and scan all your machines ASAP.

Waiting for the Internet to blow up – or not?

Numerous reports have been referring to the Conficker/C, Conficker.C, Downadup.C – worm that has apparently infected tons of machines across the Internet. Apparently, on April 1st, a central machine/system is supposed to take over the compromised boxes.

If it happens or not: whatever will happen, people cannot really tell for certain ahead of time.

The worm disables security updates, blocks access to certain security vendor sites. Aside from that, it will ‘phone home’ on 4/1, download updates if possible and may receive further instructions on what to do next.

Whatever happens – don’t be part of it. Run the malware scanners, clean your machines up, patch them up.

See my other article about patch details.
UPDATE: Microsoft has a neat summary post up on their site.

Conficker/C (Downadup.C) set to trigger April 1st – Fix your PC NOW.

A computer-science detective story is playing out on the Internet as security experts try to hunt down a worm called Conficker C and prevent it from damaging millions of computers on April Fool’s Day. (CNN)

There is some extensive coverage going on on the Internet about this new variant of an old worm: Conficker/C (also called Downadup.C) by is a modern version of the original Conficker worm that I had written in the past. It does only seem to have little in common with its forefather, however.

Apparently, Conficker/C is using encryption, peer-to-peer technology, evasion techniques to not get detected by security products, even worse, it disables them.

On top of all that, it is apparently set to execute on April 1st (yes, next week), to download updates, possible use the infected system for whatever it is programmed to do (attack certain sites maybe?).

Oh yeah, and it relinquishes control to a master computer. Maybe.

Whatever it does, you want to make sure that you are not infected ASAP.

Download this tool from Symantec, scan your machine, remove anything evil and be merry.

Reports on New York Times, ZDNetCNN, etc.

Analysis on MRT.SRI.COM (technical gibberish).