Date: Mon, 4 Jul 2005 20:34:46 -0400 (EDT) From: BCPLNET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: SANS "Ouch" Report July 1, 2005 ------------------------------------------- SANS INSTITUTE OUCH REPORT FOR July 1, 2005 ------------------------------------------- The "OUCH Report" is a monthly security alert e-newsletter published by the SANS Institute (www.sans.org) for redistribution to non-technical customers and staff. The latest issue of OUCH is below. I hope you find it informative. Many of the threats described are blocked by our Barracuda Spam and Virus Firewall, but not all. No firewall can ever be 100% effective, so we urge you to be alert for these and other potential threats against you and your computer. **************************************************************** OUCH: The Report On Identity Theft and Attacks On Computer Users Volume 2, No. 7 July 01, 2005 **************************************************************** Major threats this month: Microsoft releases 10 New Patches - 3 Critical Three of the software patches released by Microsoft correct problems rated as "critical" Where you can read more on this story: http://www.computerworld.com/printthis/2005/0,4814,102569,00.html Also see section VIII below for equally critical Apple vulnerabilities. ************************ Good news on updating if you use Windows XP or Windows 2000 (XP1). You no longer have to update the operating system and Microsoft Office separately. To use the new combined service, go to: http://update.microsoft.com You still need to patch other software yourself. For example there were several critical vulnerabilities in RealPlayer announced this month. To fix them, open the software, click on Help and then on Check For Update and follow directions to download the free update. ************************ Other Patch Sites: Windows Update: http://windowsupdate.microsoft.com Office Update: http://office.microsoft.com/en-us/officeupdate/default.aspx Several Patch Sites for various applications and Windows Updates: http://www.softwarepatch.com And two others that may be accessed only by people using .mil addresses: https://patches.mont.disa.mil/index.jsp (.mil address only) https://ceds.ssg.gunter.af.mil/enosc/index.asp (.mil address only) ************************ Phishing Alerts - What To Avoid This Month (currently there are approximately 161 alerts) information also available at http://www.millersmiles.co.uk/archives/current I. Top Rated Phishing Threats These are e-mails often trying to steal your identity (and your money) I.1 Navy Federal Credit Union Phishing Scam I.2 Update Your PayPal Account Information I.3 Bank Of Oklahoma I.4 Message from eBay Member (eBay) I.5 Smith Barney: Security Maintenance II. Virus and Hoax Alerts II.1 W32/Mytob-BI (virus) II.2 W32/Mytob-CV (virus) II.3 W32/Chode-C (virus) II.4 Skulls.L (Trojan) II.5 BagleDl-R (Trojan) II.6 Nokia phone promotion hoax III. General Phishing/E-mail Information III.1 Phishers are Exploiting MasterCard Breach III.2 British government hit by e-mail attack IV. Hackers plot to create massive botnet V. Nuclear power plant secrets leaked by computer virus VI. New worm hits AIM network VII. Adobe flaw puts PCs at risk VIII. Apple Patches 11 Security Flaws IX. Arrests/Convictions IX.1 Sasser Worm Trial Set to Begin on July 5 IX.2 Man Sentenced for Signing Boss Up for Unwanted E-mail IX.3 Japanese Police Arrest Phishing Suspect X. Confused about Phishing and Pharming? XI. It is Quiz Time ****************************** More Details About Things To Avoid I. E-mail from people trying to steal your identity (and your money) I.1 Navy Federal Credit Union Phishing Scam The Bait: Warning you that you have unauthorized ATM activity on your account and to log in to their secure site to verify your information. The Goal: To get you to enter personal and account information. Where you can see how it actually appears: http://www.navyfcu.org/01/aa/em_phs-v1.html I.2 Update Your PayPal Account Information The Bait: E-mail asks you to confirm and/or update your account information by visiting the link within e-mail The Goal: To capture your account information Where you can see how it actually appears: http://www.millersmiles.co.uk/report/746 I.3 Bank Of Oklahoma The Bait: E-mail asking you to verify your account information due to unusual login attempts. The Goal: Persuade you to provide your credit card and other personal information. Where you can see how it actually appears: http://www.millersmiles.co.uk/report/732 I.4 Message from eBay Member (eBay) The Bait: Message from eBay member for Unauthorized Account Access The Goal: Persuade you to provide your user id and password along with other information on your eBay account. Where you can see how it actually appears: http://www.millersmiles.co.uk/report/727 I.5 Smith Barney: Security Maintenance The Bait: E-mail telling you that Smith Barney is updating its software and asking you to confirm your account details The Goal: Persuade you to provide your user id and password along with other information on your SmithBarney account. Where you can see how it actually appears: http://www.viruslist.com/en/viruses/encyclopedia?virusid=68326 ****************************** II. Virus and Hoax Alerts: II.1 W32/Mytob-BI (virus) Delivery Method: Pretends to have an enclosure of an error message from an IT administrator warning users that their accounts are about to be suspended and asks the user for validation. Effects of Infection: This particular one allows others to access the computer, sends copies of itself to e-mail addresses found on the infected computer and forges the sender's e-mail address. Where you can read more on this: http://www.sophos.com/virusinfo/analyses/w32mytobbi.html II.2 W32/Mytob-CV (virus) Delivery Method: E-mail sent to you with various subject lines and attachment names Effects of Infection: Turns off anti-virus applications, allows others to access the computer, sends itself to e-mail addresses found on the infected computer, records keystrokes. Where you can read more on this: http://www.sophos.com/virusinfo/analyses/w32mytobcv.html II.3 W32/Chode-C (virus) Delivery Method: It can be delivered through chat programs. Effects of Infection: Turns off anti-virus applications, allows others to access the computer, downloads code from the internet, this particular one is used in denial of service attacks. Where you can read more on this: http://www.sophos.com/virusinfo/analyses/w32chodec.html II.4 Skulls.L (Trojan) Delivery Method: You must install this on your phone, delivered by e-mail. Effects of Infection: Turns off anti-virus applications, allows others to access the phone, downloads code from the internet. This particular one is used in denial of service attacks. Where you can read more on this: http://www.f-secure.com/v-descs/skulls_l.shtml II.5 BagleDl-R (Trojan) Delivery Method: Troj/BagleDl-R is a downloader Trojan which will download, install and run new software without notification that it is doing so. Effects of Infection: This Trojan will turn off anti-virus applications, modify data on the infected computer, download code from the internet and install itself into the registry of the system. Where you can read more on this: http://www.sophos.com/virusinfo/analyses/trojbagledlr.html II.6 Nokia phone promotion hoax (hoax) Delivery Method: Sent by e-mail about a Free Nokia Phone Giveaway Effects of Infection: This hoax is trying to get you to pass it on to everyone stating you will receive a free phone. It is a hoax. Where you can read more on this: http://www.datafellows.com/hoaxes/nokiagiv.shtml ****************************** III. Phishing Information (see Section X for phishing and pharming definitions): III.1 Phishers are Exploiting MasterCard Breach Businesses and consumers are to be on the lookout for suspicious e-mails supposedly from MasterCard. The bogus e-mails are actually from a fraudulent (phishing) site that asks users to visit the phishing site and disclose their account information. Where you can read more on this story: http://blogs.washingtonpost.com/securityfix/2005/06/phishers_target.html?referrer=email III.2 British Government and Companies Hit By Targeted E-mail Attacks According to NISCC, the British government's cybersecurity agency, sophisticated virus writers are targeting computers at the very heart of Great Britain's infrastructure. Where you can read more on this story: http://www.msnbc.msn.com/id/8244700/ ****************************** IV. Hackers plot to create massive botnet According to experts the most recent Bagle variants are actually part of a three-stage process to create bot nets, or networks of zombie computers. Where you can read more on this story: http://www.theregister.co.uk/2005/06/03/malware_blitz/print.html ****************************** V. Nuclear power plant secrets leaked by computer virus According to the Japanese press, approximately 40MB of confidential reports, related to nuclear power plant inspections, was leaked by a virus-infected computer belonging to an employee of the Mitsubishi Electric Plant Engineering (MPE). Where you can read more on this story: http://www.sophos.com/virusinfo/articles/jpnuclear.html ****************************** VI. New worm spreads through AIM network The worm spread in instant messages with the text: "LOL LOOK AT HIM" and included a Web link to a file called "picture.pif." Where you can read more on this story: http://techrepublic.com.com/2100-1009_11-5748646.html?tag=fdnews# ****************************** VII. Adobe flaw puts PCs at risk According to Adobe, a security vulnerability exists in the Adobe License Management Service. This vulnerability can lead to unauthorized persons gaining access to the user's computer. Where you can read more on this story: http://www.zdnet.com.au/news/security/0,2000061744,39196954,00.htm ****************************** VIII. Apple Patches 11 Security Flaws Apple has released a security update that contains fixes for 11 vulnerabilities in its OS X operating system. Some of the flaws are buffer overflow problems that can result in denial of service or unauthorized root access on vulnerable systems. Others are unauthorized wireless Bluetooth access. Where you can read more on this story: http://www.informationweek.com/shared/printableArticle.jhtml?articleID=164302227 ****************************** IX. Arrests and Convictions IX.1 Sasser Worm Trial Set to Begin on July 5 The German teenager accused of creating the infamous Sasser worm faces a July trial for computer sabotage offenses. This teenager is also suspected of releasing all 28 versions of the equally notorious NetSky worm. Where you can read more on this story: http://www.theregister.co.uk/2005/05/31/sasser_trial_date_set/print.html http://www.theregister.co.uk/2004/05/10/sasser_worm_arrest/ IX.2 Man Sentenced for Signing Boss Up for Unwanted E-mail According to the Baltimore Sun, a US man signed his boss up to various spam lists has been convicted of harassment and sentenced to probation and 100 hours community service after pleading guilty to misuse of electronic mail Where you can read more on this story: http://www.theregister.co.uk/2005/06/10/spam_harrassement_lawsuit/ IX.3 Japanese Police Arrest Phishing Suspect Japanese police have arrested Kazuma Yabuno, who is suspected of creating and operating a web site that appears to be a known Internet auction site, but which was instead used to harvest unsuspecting users' personal information. Police confiscated 12 computers from the home of Mr. Yabuno. This is Japan's first arrest related to Phishing. Where you can read more on this story: http://informationweek.com/story/showArticle.jhtml?articleID=164302444 ****************************** X. Confused about Phishing and Pharming? Phishing - sounds like "fishing" and represents an attempt to steal confidential information from individuals. This is often in the form of login username/password combinations, account numbers or other sensitive details. It often begins with an e-mail message asking someone to visit a website and provide their credentials. Although the website may look legitimate, it is not and the scam artist manages to intercept the confidential information supplied. This usually leads to some sort of fraud. It is almost never true that a legitimate website would send an e-mail message asking someone to login and validate their credentials. Never respond to these sorts of requests. Pharming - sounds like "farming" and is a more insidious method to obtain confidential information. In this case, a previously legitimate computer server, such as an ecommerce or banking website, is compromised and used to direct visitors to a fraudulent website that asks a visitor to provide confidential information. Again, the desired outcome is fraud. For more details visit: http://www.antiphishing.org ****************************** XI. It is Quiz Time Here are two quizzes that I have found on the net that have good information for you, your coworkers and family to help them with Phishing and staying safe online. http://www.bankrate.com/brm/news/advice/20040331a1.asp http://www.javelinstrategy.com/IDSAFETYQUIZ.htm ==end== Copyright 2005, The SANS Institute. Permission is hereby granted for any person to redistribute this in whole or in part to any other persons as long as the distribution is not being made as part of any commercial service or as part of a promotion or marketing effort for any commercial service or product.