PDA

View Full Version : Security Newsletter - Issue 1, Wed 25th Jan 2006



merciarich
25-01-2006, 04:21 PM
Issue 1, Wednesday 25th Jan 2006

Hey everyone and welcome to the first Networking & Security newsletter. As a
qualified PC Technician, I understand what an important part user vigilance is
to the way computers work nowadays. Since security is now such a large issue
within computing, it only seemed right that we do a weekly newsletter on the
forums that all the users are kept up to date with all the latest virus,
vulnerabilities and security news.

News In Brief:

- FBI publishes 2005 computer crime survey
- The Brain virus turns 20
- Nyxem Worm Marks Files for Deletion (Read Article 2 below)

Article 1 : Online Crime
Cybercrime is moving from broad ego-driven outbreaks to much smaller targeted
attacks aimed at stealing sensitive data or extorting money from companies, IBM
stated in its 2005 Global Business Security Index Report released on Monday.

The conclusion explains the apparent drop in high-profile attacks in 2005, a
year that saw only moderate threats such as the Zotob worm and the Sober virus.
The company, however, saw a major increase in the number of targeted attacks,
which generally are not well covered by the media. Between two and three
targeted attacks were intercepted each week in 2005, according to a summary of
the IBM report.

"IBM believes that the environment has shifted," Cal Slemp, vice president of
IBM's security and privacy services, said in a statement. "With increased
security protection on most systems and stiffer penalties, we are seeing
organized, committed, and tenacious profiteers enter this space. This means that
attacks will be more targeted and potentially damaging."

The recent guilty plea by a 20-year-old California man for compromising hundreds
of thousands of computers to create a botnet and then selling access to those
computers underscores the shift in cybercrime towards more profitable activity.

Article 2 : Nyxem Worm
Instead of delivering the adult material promised by its subject line, a new
mass-mailing worm is preparing to delete files on infected Windows machines and
shares on a certain date.

The cleverly named Nyxem worm lies in wait until the date reaches the 3rd of any
given month (ex: February 3, March 3, and so forth). When the system clock
reaches that day, the worm erases several filetypes on all available drives
including .zip, .doc, .xls, .psd and others.

Nyxem searches for email addresses in IE's cache and then forwards itself using
its own mail engine and one of several different subject lines, most of which
hint at adult pictures and videos. It also attaches a .pif executable or a
MIME-encoded equivalent containing .scr files.

F-Secure reports that it attempts to copy itself to all shared folders on a
network. Moreover, it targets anti-virus software from several vendors (Norton,
McAfee, Kaspersky, Trend Micro...), erasing their directories.

In a new twist, Nyxem.E keeps a tally of the systems it has infected on a
website. By Saturday, the worm's counter logged over half a million infections.

Additionally, Nyxem disables scores of other security software by going into the
registry and deleting their startup key values. The long list includes many
popular free and paid anti-malware products. It also targets file-sharing apps,
rendering P2P staples like *********, ******** and ******** ineffective.

Sophos senior technology consultant, Graham Cluley, warns that a worker's
curiosity can put the entire company's security at risk.
Cluley offers some common-sense tips for employers, saying, "Companies should
educate their users to practice safe computing - that includes never opening
unsolicited email attachments and discouraging the sending and receiving of joke
files, ****ography and funny photographs and screensavers."

Article 3 : Windows Wi-Fi Flaw
News of a Windows vulnerability is nothing new. But even the most jaded
of users will sit up and take notice when it affects a widely used and generally
well-liked feature like Wi-Fi networking.

Lately, a security researcher's report detailing this "exploit" has stirred up a
bit of a hornet's nest online. And it all rests on how Windows negotiates SSIDs
and manages ad-hoc connections.

An advisory from the Nomad Mobile Research Centre (NMRC) authored by Mark
Loveless (aka Simple Nomad) details how XP/2000 machines are susceptible. The
Microsoft Windows Silent Adhoc Network Advertisement exploit carries a severity
rating of "High (albeit lame)"

In summary, Windows XP and 2000 systems first attempt to connect to a default or
home AP as configured by a computer's user or administrator. An attacker in
ad-hoc mode can use this behavior, along with the tendency of users to keep
their preferred access point's out-of-the-box SSID unchanged, in the hopes of
luring users into establishing an ad-hoc connection under the guise of their
home network. Others can then pile on in a domino-like fashion as the impostor
SSID is inherited from user to user.

Eric Griffith of Wi-Fi Planet sums up the danger as such:
"The real threat is that hackers know many people don't bother to reset their
router/access point SSIDs from the default, and can use this feature of XP to
associate directly with a laptop. It's an "evil twin" attack on automatic, but
instead of mimicking a hotspot's SSID, the attacker looks like your home
network."
He points out, however, that several factors have to fall into place for it to
be successful, reducing the likelihood of this becoming a widespread attack
vector. For example, Windows XP SP2 will alert users when establishing an ad-hoc
connection. Indeed, the NMRC recommends upgrading to SP2 as a measure of
protection.

Other recommendations include disabling wireless networking when not in use and
setting the system to connect in infrastructure mode only.
Microsoft, for its part, is looking into limiting the risk and is working on
ways to provide better management over ad-hoc networks.

Virus of the Week: PWSteal.Wowcraft.C

(PWSteal.Wowcraft.C, no known AKAs)

PWSteal.Wowcraft.C is a Trojan horse that attempts to steal sensitive
information related to online games and send it to a remote attacker.

Although this virus is low threat, it is causing quite a stir in the
online game world. Read more about this virus (and removal instructions) by
clicking this link:
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.wowcraft.c.html
-------------------------------------------------------------

Thank you for taking the time to read this newsletter. A new issue is posted on the Wednesday of every week!