—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA06-192A

Microsoft Windows, Office, and IIS Vulnerabilities

Original release date: July 11, 2006
Last revised: –
Source: US-CERT

Systems Affected

* Microsoft Windows
* Microsoft Internet Information Services (IIS)
* Microsoft Office
* Microsoft Office for Mac
* Microsoft Access
*…

Read more at checksum.org…

Keyloggers use kernel-level drivers which make them very robust and stable, but more importantly, hard to detect. Some keyloggers use process blocking techniques to actively stop anti-spyware programs from running. Therefore, application protection procedures are necessary in anti-spyware software. Keyloggers are increasingly becoming more and more aggressive.

Trojan and viral procedures in spyware continue to have the most advancd obfuscation methods and distribution methods. Obfuscation methods used include rotating encryption, compression algorithims, and rootkit-like behavior to hide files from core Windows Application Programming Interfaces. Some of the more malicious spyware writers put codes into their spyware that block certain outbound internet connections from detecting update services for popular scanning engines. Trojans and spyware are changing weekly and becoming more and more advanced. Always be safe with your online travels.

Microsoft has been hit with a second lawsuit regarding the Windows Genuine Advantage (WGA) software that was recently released. The class-action suit was filed Friday in U.S. District Court in Seattle, just four days after the first one. This suit alleges WGA is spyware and that Microsoft mislead consumers by labeling it as a critical security update. It also says that Microsoft did not make users aware that WGA frequently contacted its central servers. Users have complained WGA is flawed, identifying legitimate copies of an OS as fraudulent. Last week, Microsoft changed some features of WGA, including adding an option that let users turn off warnings that their OS may be invalid and the frequency with which WGA communicated with its servers. The suit calls for compensation and for Microsoft to warn users of the risks of using WGA. They also ask for a tool to remove the program. 

Online hackers are increasingly becoming bolder. Here are some tips to avoid online financial fraud:
1)      Do not click on hyperlinks in emails. Go to the web page directly instead.
2)      Be sure your antivirus, firewall, and spyware protection are working and up to date.
3)      Limit the access to your accounts. Only do what is necessary online.
4)      Read your deposit or investment agreement carefully to determine whether you’re apt to be reimbursed for identity theft or other fraud and when choosing a bank, look for that.
5)      Search for complaints about your institution at places such as www.ripoffreport.com and if you notice complaints do your business elsewhere.
6)      Do not use the same password for everything.
7)      Only use credit cards for online purchases. Do not use debit cards or electronic checks.
 

These tips should help keep you and your money safe while online.

Microsoft’s Windows Genuine Advantage (WGA) program designed to combat pirated versions of Windows is facing its first lawsuit only one week after the final version was released. The beta version of the software was out for about a year and was known to be very controversial. A court filing by Los Angeles resident Brian Johnson asks for an injunction that prevents Microsoft from continuing to use the check-in feature of WGA in future releases. The suit asks the court award the plaintiff and class action members “…full restitution of all monies wrongfully acquired by the Defendant by means of the wrongful conduct alleged herein….” It does not state a monetary value. One complaint of the lawsuit is that the software does not ask permission before checking in. Microsoft said it does not collect any identifying information on the user during the checks. If an illegal version of Windows is found, WGA sends out messages about not running a “genuine” copy of Windows and direct the user to Microsoft Web sites to purchase a genuine copy. 

A new piece of malware called wgaven.exe has been discovered that poses as a Windows Genuine Advantage Notfication. On execution, wgavn.exe creates a folder, C:\Windows\etc\ that contains a file named services.exe. Wgavn.exe copies itself to the \System32\ folder and gives this notification: “O23 - Service: Windows Genuine Advantage Validation Notification (wgavn) - Unknown owner - C:\WINDOWS\system32\wgavn.exe.” The malware disables antivirus software and attempts to contact several IP addresses. The ISP is being notified in an attempt to investigate these sites and IPs. It is still unknown how users are being infected with this malware. 

An email is being distributed about the big controversy between the Brazilian soccer coach and the President of Brazil over the health of team star Ronaldo. The email is in Portuguese and includes photos of Ronaldo and President Lula. The email encourages the reader to click on the attached file to view a video relating to the controversy. The attachment is actually a Trojan .exe file. Upon download, the file extracts itself and emulates a Microsoft software installation thus allowing it to alter firewall settings such that it can operate seemingly undetected. The application then attacks.

If you have a company with less than 1000 employees, Microsoft can offer you a free security assessment to enhance it security within your Information Technology department.

According to Microsoft, as soon as you fill out the report, you will immediately be able to view the assessment.  You will also receive an in-dept report that gives you an idea of the current state of your IT security and will also be presented with industry-recognized best practices and recommendations to tighten down your security. 

Adware company Claria is now urging users to uninstall its software because they will be exiting the adware business. Claria is best known for its GAIN application, which tracks where individuals surf on the Web and pushes related advertisements to their screens. The company will stop sending the adware on July 1st. The application will, however, continue to collect data until September 30th for research purposes. Claria has new plans to become a more legit company. Don’t expect for their technology to go away with the company. Companies including Microsoft are interested in purchasing the GAIN application.

Webroot Software Inc. has introduced its latest spyware software, Spy Sweeper Enterprise 3.0. Utilising a completely re-designed client, the new version offers kernel level driver protection to detect and remove the most malicious types of spyware, including rootkits and other evolving malware. Spy Sweeper Enterprise 3.0’s kernel level driver capabilities enable detection and removal of the most sophisticated forms of spyware which use rootkit technology to mask or hide itself from the Windows and other security products. Webroot is able to do this because it now utilizes direct disk scan. With direct disk scan, the software scans the hard disk directly instead of going through Microsoft Windows API’s that control disk access and can allow spyware to hide behind that.  Spy Sweeper Enterprise 3.0 also offers new real-time Smart Shields.
·        The ActiveX Shield blocks potential spyware threats that use ActiveX components to disguise their installation.
·        The Spy Communication Shield prevents further spyware infection by blocking all communication to Web sites known to host potential spyware threats and disables spyware ability to re–install during removal.
·        The BHO Shield blocks the installation of Browser Helper Objects (BHOs) unless specifically approved by the administrator.
·        The IE Trusted Sites Shield prevents spyware from modifying Internet Explorer security–zone settings.
Other new in Spy Sweeper Enterprise 3.0 include: scanning compressed files, and enhanced scalability options, that guarantee complete removal of threats, laptop and remote user management capabilities, and configurable SNMP alerts for detected spyware at the conclusion of sweeps. Administrators can now also throttle CPU usage for both the memory and file scans to minimize impact on user productivity during sweeps. Look for this coming to you shortly.
 

Similar to a problem mentioned in a previous post about Windows Media Player, two other players have holes allowing for security attacks. Both Adobe’s Macromedia Flash Player and Apple’s QuickTime media player have vulnerabilities that could allow for hackers to access your computer through the programs. This happens when the user opens a corrupted media file. The file causes the player to crash due to a buffer overflow and the corrupted file runs any command the creator wants it too. There are updates for both players to fix this problem. It is recommended that all users update and also be careful with what you look for on the internet. Always know what every file is prior to opening it.

A new worm is out using the 2006 World Cup soccer games. The worm infects computers by arriving in an email. The email contains one of the following subjects and messages: Subjects:
1. Soccer fans killed five teens
2. Crazy soccer fans
3. Please reply me Tomas
4. My tricks for you
5. Naked World Cup game set
6. My sister whores, shit i dont know