KamaSutra Worm a dud?

FSecure is reporting that the expected turmoil to arise from the 500,000 infections of Nyxem.E / Kamasutra worm fizzled out. Even though the worm's payload became active on Friday nothing really arose from it why? FSecure's analysis of the situation is this:

• The amount of machines that were really infected
  still on Friday was much smaller than the total amount of machines that
  got infected (and cleaned) during the whole outbreak. This number is
  probably in the tens of thousands. Which is not a lot of computers out
  of, say, one billion computers in the world.
• Many of the infected machines were not rebooted on Friday. They were simply running all the time. The worm only does damage when you start the machine on the 3rd.
• Many infected home machines were shut down all of Friday, and nothing
  happened. People went to movies, bars, parties on Friday night instead
  of surfing.
• The media coverage on the whole incident prompted many people to check their system and clean them up in time.

I for one chalk KamaSutra's worm lackluster performance up to three factors first the media attention got people to clean their systems, the publicly available counter site tracking the infections was poisoned by it's being posted on social tagging sites ie. Digg, and lastly the worm only does damage on reboot on the 3rd of the month. With the growth in broadband connections people are leaving there computers on all the time more often then not. This should not lead people to become complacement, the next time we may not be so lucky. Just because this worm was a dud the next one may not be.

 

http://www.f-secure.com/weblog/#00000802

New WMF Vulnerabilty Give Malicious Sites Full Control

A vulnerability has been discovered in Microsoft Windows, which can be used to compromise even fully patched systems (Windows XP Service Pack 2). According to Secunia users simply need to preview a a corrupted WMF in explorer, Windows Picture Fax Viewer, or IE to execute the exploit. As noted by Sunbelt this exploit is being actively exploited in the "Wild". If you are running Windows do not open a WMF file from anyone you do not explicity know and trust and if you are using Internet Explorer set your security level to "High".

1. To raise the browsing security level in Microsoft Internet Explorer:

2. From the Internet Explorer Tools menu, click Internet Options.

3. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.

4. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High. (If no slider is visible, click the Default Level button and then move the slider to High.)

Link: http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html

Rootkit Guru: AntiVirus Makes Me Do It

Smart computer users know that once a computer is infected by a rootkit, it's changed forever. And as Windows rootkits go, Hacker Defender is among the most dangerous. The author of Hacker Defender, holy_father, explains why he does what he does, and what you can do to detect his rootkit.

Link: Rootkit Guru: AntiVirus Makes Me Do It.

XSS vulnerabilities in Google.com

Two XSS vulnerabilities were identified in the Google.com website, which allow an attacker to impersonate legitimate members of Google's services or to mount a phishing attack. The advisory is well written and easy to read click the link below to view it.

Link: [WEB SECURITY] XSS vulnerabilities in Google.com.

Germany: Sober Virus Makes Pedophile Turn Himself In

The Sober virus which has been sending emails to unsuspecting people telling them that they are being investigated due to visiting illegal sites on the Internet inadvertently did some good this last week. The emails coming from various agencies look very realistic, so realistic that this past week in Germany a person received a message turned himself into the local police office. When officers investigated they found the computer contained child pornography. While I in know way believe this was the intent of the of this virus's writers it is good to know that a person who exploited children was caught.

Link: F-Secure : News from the Lab.

Add a Delete Button To GMAIL

Arantius.com has posted an awesome grease-monkey script that allows firefox users to add a delete button to GMAIL. For all their vaunted 2 gigs of space I still need to delete things from my account from time to time. Aside from the lack of a delete button GMAIL is an awesome system that I come to heavily depend on I mean where else do you get an HTML converter, email, and contact management package all in one. So if you use GMAIL, are a Firefox user, and are frustrated by the lack of a delete button try this grease monkey script out.

Link: Greasemonkey User Scripts - Gmail Delete Button - Arantius.com.

Web security padlocks to be reinforced - ZDNet UK News

File this under security news.

Next year the secure padlock that assures web users worldwide that the site they are visiting is secure and safe is going to be updated to ensure stricter standards and closer monitoring. While this may not seem like a giant step forward in security given the hodgepodge of certificate issuers out there with individual oversight and standards it is good to see that industry standard will be adopted. Frankly this is a long time a coming and while this should not impact the individual user visiting a secure website such measures should work to ensure that each secure website is meeting a minimum of security.

Link: Web security padlocks to be reinforced - ZDNet UK News.

IE 7 The Priority is on Security

For those of you not aware Microsoft will be releasing Internet Explorer 7 in early 2006. With IE7 well on the way Microsoft has started releasing updates on a regular basis detailing the changes they are making to Internet Explorer and what they will mean to the end user. Even a casual read of the IE7 blog and you are well aware that security is the word of the day when looking at IE7. From moving the security lock to the address bar, to changing the color of the address bar when at a malicious site; every detail of Internet Explorer has been looked at trying to make users safer and secure online. This article will look at the web content zones what they are and how they will change in Internet Explorer 7.

What is a Web Content Zone

Currently Internet Explorer classifies websites as either an Internet site (that is a site accessed on an outside network), local intranet (a site accessed from a local network), trusted site (those sites you trust to install and run code on your computer, and restricted sites (those sites which are probably dangerous and will try to infect your browser and operating system with spyware or something similar). As the names imply different levels of trust are given to different site types.

If you want a real life example think of these zones as how you classify people. The Internet zone is like meeting someone on the street you will probably not outright shun this person but are not likely to give him the keys to your car either (unless he is a valet). The Intranet Zone is like your coworkers most of us feel fairly safe with our coworkers and would not object to having them come over to the house for a barbecue. The Trusted Zone is like your doctor you trust him or her with your life and health. Finally the Restricted Zone is like your cousin's friend who got out of prison for armed robbery while you may have to tolerate him you will watch him when he is in your house and probably not leave him to babysit your kids.

As with meeting people security zones let you the user define a specific behaviors for your browser when visiting a site online. If you are using GMail and you are prompted to install an active control every time you visit the site then you will probably get tired of being prompted, conversely if you are tricked into visiting a malicious site through spam then you probably want to be notified if they want to install something on your computer.

Protected Mode, Medium High, EOLAS how the Internet Zone has been Changed

The default zone setting for the Internet zone has been changed from medium to Medium-High or what Microsoft is calling protected mode. This change has been made to help prevent and hopefully reduce the attacks that IE has been plagued with in the past. Another new feature is the ActiveX opt in, which while Microsoft is billing as a feature to "reduce potential damage from malicious Active X controls in the Internet zone" is really the result of a the EOLAS law suit settlement an excellent description of which can be found below.  I do find it ironic that the most significant change in Internet Zone security and the thing that people complain about the most when comparing IE to Firefox was settled through a lawsuit not for security but patent infringement.

http://patentlaw.typepad.com/patent/2004/12/eolas_v_microso.htmlZone Spoofing

While I don't agree with the many in the web development community that this will be crushing blow to online development, frankly it is not that big of a deal (instead of browser plug ins installing without asking your approval you will be prompted to install them). I do agree that the implementation will take a while for people to get used to. Just as the web development community moved on from Windows XP Service Pack 2 they will adapt to IE after the Eolas agreement. Enough of that lets continue to look at the various zones in IE and how they will change in IE7.

Intranet Zone Possible Liability Why is it There?

The first problem you probably noticed with my description of these zones is that not all these zones are useful to everyone. Seriously at home how often do home users set up a intranet with an internal website that they then regular use to access resources from the network, overwhelmingly the answer is probably not often. Hence this zone is not really useful to home users, so Microsoft changed the default behavior of IE to treat the intranet zone as it would treat the Internet zone. While the benefit of this is not readily apparent it can help forestall some spyware that uses this vulnerability in IE to install their software on you computer without your knowledge. This particular attack called Zone-Spoofing basically tricks your browser into treating their bad site as one you trust. For more information on zone spoofing read this article below:

So what happens if you are on a Domain, well in that case Internet Explorer will auto detect the intranet sites on your domain and apply the appropriate zone settings to these sites. If however a Site Administrator wants to change the default behaviors they can do so by adjusting the settings in the Group Policy editor much easier than if they wanted to do the same thing for IE6.

Trusted Zones Not So Trusted Anymore

The biggest change in the zone setup in my mind is the trusted site zone. Users of online software such as MLS Platforms (multiple listing service), CMS portals (Content Management Systems) and other online applications may need to tweak their settings for this zone after updating to IE7. Previously Trusted Zone sites were given a lot of freedom, like with your doctor until they do something really wrong you generally trust their judgment. With IE7 the default zone setting has been changed from low to medium now while that does not sound like a lot that is the difference between an acquaintance on the street and your doctor in our human relationship example. The part that confuses me is that Microsoft is saying that users can lower security settings for this zone if they need (recognizing they probably will) so why do it? Or better yet why not users adjust the security for specific sites in the zone rather than applying templates across the entire zone?

Link: IEBlog : Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones).

Virtual Browser from VM Ware

Virtualization is for lack of better terms a computer running inside a computer. VMware allows users and developers to run code within a virtual computer thereby isolating the virtual system from the your "real" system. Unlike Microsoft Virtual PC VMware is however not an emulator the difference though slight and frankly complex means that in my experience at least VMware runs faster than Microsoft Virtual PC. Where I find VMware useful is in testing out spyware removal tools, installing a removing spyware, and executing malicious code within an isolated environment (something I absolutely do not suggest for the average user to attempt).

Virtualization is  a move that many companies are taking to prevent the influx of spyware and viruses within corporate networks for more information on virtualization click here. VMware made big news a couple of months ago when they announced that they had released a free player that allowed users to run virtual machines created using VMware, Microsoft Virtual PC, and Symantec Live Recovery. Giving users a cool if unlikely to be widely used tool in preventing spyware and virus outbreaks on their systems.

Now VMware has made news once again by releasing a new browser appliance virtual machine which is nothing more than the latest build of Firefox and and Ubuntu Linux. Browser appliance virtual machine requires appoximately 250 megabytes disk space and requires around 33 megabytes of RAM to run takes about 33M bytes to run and lets users run an Internet browser from within a virtual machine. The browser appliance virtual machine can be downloaded from the VMware Browser Appliance Virtual Machine Center.

If you are interested in trying out other free virtual machines then visit VMware Virtual Machine Center to download virtual machines for NetWare, BEA, IBM, Red Hat, My SQL and Oracle.