Well, now that my dreams of an early retirement are shattered and I'm back on Reality Street, there are some sober lessons to be learned from this. It is probably not news to you that there is a heck of a lot of scams out there and identity theft is rife. Recently I posted an article about an Olympic ticketing scam that ripped off many unsuspecting people, but this job scam might not necessarily rip you off. In fact, if you "cooperate" with the "processing department" of Mortgagee Union Trust you might even actually make a bit of cash by transferring funds from one account to another when instructed. (The job title should actually be "Money Mule," but it doesn't have the same air of self importance that "Monetary Operator" does.)

Whether you can make much, if any, money by taking part in this scheme is uncertain. What is certain is that you will inevitably be playing the pawn in a global game of scams, online crime, and money laundering. Next time an offer that's too good to refuse comes a-calling, save the precious gas and reduce your carbon footprint by using the Internet to visit the company, check out their credentials, and satisfy your curiosity that they are indeed a legitimate organization. Only when you have checked and double checked should you part with your valuable personal information.

And, the tried-and-true method by which the Storm team successfully infects machines hasn't changed either. The method consists of bulk emailing with "interesting" content aimed at enticing the victim into either visiting a Web site or opening an attachment.

The various topics used per spam round included war, politics, murder, adult entertainment, romance, public holidays, sporting events, business transactions, surveys, terrorism and natural disasters and these are certainly a contributing factor to the prevalence and persistence of infections. Such topics, based both on real-world current events and false-but-interesting scenarios, still appear to be a fairly successful propagation technique and are clearly favoured by those behind Storm.

At the heart of the rootkit are two files: in this case, glok+serv.config and glok+767-4e80.sys. The first file contains a list of encrypted peers with which the infected host maintains contact with and is updated periodically with new nodes, and the second is the rootkit-based service which performs all of the primary functions of the zombie including spamming, denial-of-service and component updates. A range of API calls are hooked by the rootkit in an attempt to hide its presence on the system, such as ZwEnumerateValueKey and ZwQueryDirectoryFile.

The botnet itself runs its main operations over UDP, communicating via a fairly aggressive peer-to-peer network. The resulting traffic surge is fairly easy to spot:

The sale of spam-capable services that run from public hosts can net a bot controller a nice income, because fresh zombies can send upwards of 10,000 emails a day. And even if a particular Storm zombie is added to one of the many available spam blocking lists, the bot controller can still run distributed denial-of-service attacks with devastating speed. Also, the variances in the operation of Storm aren't restricted to email subjects, as we have watched its operators use polymorphic packers to defeat CRC-based detection, then experiment by removing the rootkit functionality to leave a plainly visible executable, and then return once again to a rootkit-enabled version.

We get quite a few questions in the form of "Yes, but if I get infected what does this actually mean?" To sum it all up, it means that:

• Complete control of your computer system is in someone else's hands.
• Any unprotected private information stored on your system is effectively no longer private.
• Your machine can be used to attack other machines on the Internet.

This particular link (circled in red in the above image) points to one of a range of fraudulent pages hosting the file install.exe (detected as Trojan.Pandex) which, once executed, gets down to work.

After an encrypted check-in with one of the control servers, several DNS lookups are performed for the malicious domain, which points to a range of fluxing IP addresses under the control of the attackers. The "stub" retrieves a copy of the file 14scan1.exe (detected as Trojan.DesktopHijack.), which changes the victim's desktop:

Then, fake security software known as "Antivirus XP 2008" (detected as AntivirusXP2008) is downloaded and installed on the victim's machine:

The results from this supposed scan are, of course, fraudulent and rely on unsuspecting victims to pay the activation fee in order to mitigate these non-existent threats. To add to the confusion, a fake "Blue Screen of Death" screensaver is silently installed and activated, and some of the graphical display controls in the Display Properties tab are disabled so the user cannot change the screensaver back to the original one easily.

As mentioned above, Symantec has a number of detections for the malicious files. In addition, Symantec Browser Detection triggers on malicious pages as HTTP Fake Codecs WebPage.

You may also have seen reports of malicious spam doing the rounds with updates to Microsoft products, including the Malicious Software Removal Tool and Internet Explorer 7, videos with adult material, and news alerts from CNN and MSNBC. The links contained within these spam emails also end up downloading and installing the fake Antivirus XP 2008 software.

Whether the group behind Antivirus XP 2008 are controlling this entire campaign or have employed the services of additional malicious parties to enhance the success of their spam delivery service, over 500,000 spam emails have been recorded via our probe network with links to Antivirus XP 2008 in the past 14 days, representing quite a large spike in activity for a single threat. As always, make sure you update your security products regularly to ensure you are protected against the latest threats.

Felix began his talk by explaining the impact of successful exploitation of Cisco IOS vulnerabilities, providing some details about Cisco IOS internals, and then explaining why the flat memory format is so dangerous. For example, even the smallest memory corruption bug could potentially be leveraged to overwrite critical structures anywhere in memory. "Just how often are routers hacked?" was covered with some very interesting points, such as the threat of TCL backdoors and patched IOS firmware. He also brought up an example of an old vulnerability that continues to see exploitation, namely, the old HTTP level 16 bug that is still being exploited in the wild, as well as the new SNMP HMAC issue. So, routers are being targeted in the wild and I believe this will only get more common, especially as other targets become increasingly difficult to exploit. A path of least resistance, if you will.

In his presentation, FX also covered how the Cisco IOS router is a volatile memory system. From a forensics perspective, this makes it very difficult to find any evidence of an attack after the system reboots. How does an administrator tell the difference between a "normal" router reboot and a reboot that is the result of an exploit attempt? The talk evolved into a compelling discussion about Cisco IOS crash-dump functionality and how it can be used for the purposes of forensics without impacting the performance of the router. Postmortem analysis of a crash dump file that is far too in-depth for the scope of this blog entry was covered in detail. This research is exciting. The Cisco Crash Dump analysis tool dubbed "CIR" (which FX says is a work-in-progress) is available as an online service for free. For those paranoid about uploading their crash dumps to a third party, it is my belief that a professional standalone version of the tool will be made available by Recurity labs. (But, I could be wrong about this-it would be best to contact Recurity Labs for more information.)

I can't end this blog without mentioning two of the other high points of my day. The talk given by Ben Hawkes named "Attacking the Vista Heap" was excellent. The talk came to the conclusion that heap exploitation is no longer generic; instead, it is now application-specific, requiring certain conditions to leverage corruption into code execution. However, lots of interesting techniques were divulged. I followed up his briefing by attending the Alexander Sotirov and Mark Dowds briefing on "How to Impress Girls with Browser Memory Protection Bypasses." Wrapped in droll comedy, this briefing was fantastic. It started out with a demonstration of an exploit achieving code execution on Windows Vista with GS, SafeSEH, DEP, and ASLR enabled. Really, it is far too detailed to cover here along with the Cisco IOS forensics talk. I don't feel that I'm doing the talks any justice in my attempts to describe them, so I'd say that it's best to go explore the Recurity CIR wiki for more complete information on this research and to read the "How To Impress Girls With Browser Memory Protection Bypasses" paper and code. GS, SafeSEH, DEP, and ASLR - all defeated in a client-side exploit. Why are you still reading this? Go read the paper!

As always, customers are advised to follow security best practices, including:

- Avoid sites of questionable or unknown integrity

- Do not open files from unknown or questionable sources

- Run all client software with the least privileges required while still maintaining functionality

Microsoft's summary of the August releases can be found here:

www.microsoft.com/technet/security/bulletin/ms08-aug.mspx

Some of the more notable vulnerabilities this month are:

1. MS08-041 Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617)

CVE-2008-2463 (BID 30114) Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.9/10)

This is a previously documented vulnerability in the Snapshot Viewer ActiveX control that allows an attacker to download a file to an arbitrary location on the victim's computer. An attacker must trick a victim into visiting a Web page containing malicious content to exploit this issue. If the victim does not currently have the ActiveX control installed, and the victim uses Internet Explorer 6, the attacker can install the control without any further user interaction. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Snapshot Viewer for Microsoft Access, Microsoft Office Access 2000 SP3, Microsoft Office Access 2002 SP3, and Microsoft Office Access 2003 SP2 and SP3

2. MS08-046 Vulnerability in Microsoft Windows Image Color Management System Could Allow Remote Code Execution (952954)

CVE-2008-2245 (BID 30594) Microsoft Color Management System Pathname Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote-code execution vulnerability affects Microsoft Color Management System (MSCMS) when handling a malformed image file. An attacker only needs trick a victim into viewing a Web page or email that contains a malicious picture file to exploit this issue, no further user-interaction is required. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Windows 2000 SP4, Windows XP SP2 & SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, and Windows Server 2003 with SP1 or SP2 for Itanium-based Systems

3. MS08-044 Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (924090)

CVE-2008-3019 (BID 30595) Microsoft Malformed EPS Filter Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A client-side remote code-execution vulnerability affects Microsoft Office filters when handling malformed graphics images. By tricking a victim into opening a specially crafted Encapsulated PostScript (EPS) file, an attacker can execute arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Office 2000 SP3, Microsoft Office XP SP3, Microsoft Office 2003 SP2, Microsoft Office Converter Pack, and Microsoft Works 8

CVE-2008-3018 (BID 30597) Microsoft Malformed PICT Filter Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A client-side remote code-execution vulnerability affects Microsoft Office when handling specially malformed PICT files. PICT files are normally associated with Apple Quicktime, but if opened with Microsoft Office, arbitrary code-execution can occur. An attacker must trick a victim into opening a malicious file to exploit this issue.

Affects: Microsoft Office 2000 SP3, Microsoft Office XP SP3, Microsoft Office 2003 SP2, Microsoft Office Converter Pack, and Microsoft Works 8

CVE-2008-3021 (BID 30598) Microsoft PICT Filter Parsing Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A client-side remote code-execution vulnerability affects Microsoft Office when handling specially malformed PICT files. PICT files are normally associated with Apple Quicktime, but if opened with Microsoft Office, arbitrary code-execution can occur. An attacker must trick a victim into opening a malicious file to exploit this issue.

Affects: Microsoft Office 2000 SP3, Microsoft Office XP SP3, Microsoft Office 2003 SP2, Microsoft Office Converter Pack, and Microsoft Works 8

CVE-2008-3020 (BID 30599) Microsoft Malformed BMP Filter Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A client-side remote code-execution vulnerability affects Microsoft Office when handling specially crafted BMP image files. An attacker must trick a victim into opening a malicious file with Microsoft Office to exploit this issue. A successful attack will result in the execution of attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Office 2000 SP3, Microsoft Office XP SP3, Microsoft Office Converter Pack, and Microsoft Works 8

CVE-2008-3460 (BID 30600) Microsoft Office WPG Image File Heap Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A client-side remote code-execution vulnerability affects Microsoft Office when handling specially crafted WordPerfect Graphics (WPG) files. An attacker must trick a victim into opening a malicious file in Microsoft Office to exploit this issue. A successful attack will result in the execution of attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Office 2000 SP3, Microsoft Office 2003 SP2, Microsoft Office XP SP3, Microsoft Office Converter Pack, and Microsoft Works 8

More information on these and the other vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Because the control is Microsoft signed, its installation is silent, and does not require any user interaction. Once this vulnerable control is installed on the victim's computer, it is exploited in the same way as if the control was installed all along. To top it off, this attack is carried out as a drive-by attack, so the unprotected user may never know that they were vulnerable, or had been targeted, let alone infected.

While this silent installation ability obviously poses some interesting security considerations, it is actually fairly core to ActiveX operation. For example, a site that wants to provide an Access report for its users may want to install the trusted control and permit the users to simply view the report. This would provide a cleaner experience for the site's users, rather than forcing them to go to the Microsoft site to download and install the control.

This silent install attack is specifically detected by IPS (NIS, NAV, N360, SEP, and SCS) products as HTTP Snapshot Viewer ActiveX Download Request. If the subsequent exploit is encoded, it will be detected by Symantec Browser Protection (NIS 2008, NAV 2008, N360 v2) as MSIE MS Snapshot ActiveX File Download. If the exploit is not encoded, IPS will detect is as HTTP SnapShot Viewer ActiveX File Download. Additionally, Symantec antivirus programs will detect this attack as Downloader.

In July, some of the subject lines observed were:

• Beijing Olympics cancelled
• Beijing postpones Olympics due to McCain-Dalai Lama meeting
• Mccain Says Unsure If Obama A Secret Hippopotamus
• Kick-up - Obama speaks in London - video

In the samples observed, the URLs were hosting malicious code (malware). There is a continuing link between spam and other security threats with a penchant for spammers to utilize current events to lure users to open their messages.

Also seen last month was a spam message containing both a proclamation of the start of World War III in the text and a Trojan virus attached to the message. This is another example of spammers banking on human curiosity to open messages with sensational headlines and click links by utilizing current events, which in this particular case happen to be false.

Important to note is the prevalence of malware associated with such spam types. Victims too frequently succumb to curiosity and sensationalism rather than resisting the lure to open messages and further clicking the links. If the headline - or in this case subject line - seems ridiculously sensational, it probably is. If you do open the email, make very sure not to click any links. Instead, use your browser to navigate to a reputable news source and check to see if the headline is true.

Also observed by Symantec in July was a fraud attack targeting Microsoft's POP3 users. The spam email states that the recipient has a POP3 setting problem and needs to click on the URL in the mail to confirm the account data. The body of the email shows simple warning text informing the recipient that the message comes from Microsoft and detailing what the issue is. There is also a URL for the recipient to click to renew their POP3 data. Of course, the URL does not lead the recipient to the correct Microsoft Web site but a hacked Web site, which is being used to obtain personal information from the recipient.

So far, the volume of this particular attack is low. Whenever messages such as this are received, please practice due diligence by verifying the origin of the message and checking out the validity of the URLs. You should always use caution when giving out any personal information online because you never know exactly who is asking for it or how the information will be used.

For more on the above and other highlights, please see the August State of Spam Report.

This scam site claims to be able to source tickets for sold out sporting events, playing on the fact that many Olympic event tickets are already sold out due to huge demand. I checked out the site today and found that tickets for the opening ceremony (which were sold out some time ago) are still available from US $1,750 apiece. I guess to many people this looks like a fantastic opportunity to go to a once-in-a-lifetime event. Probing deeper into this Web site, I found many telltale signs that this site may not be quite what it claims to be. Let's look at some of them now.

First off, the "About Us" section of the Web site offers some clues:

I found some of the statements in this page a little suspect, which raised some questions in my mind. For example: "Beijingticketing.com has been trading since 2007. We are part owned by a major international sporting events company who have over 25 years experience in obtaining the best seating at popular and sold out events." Ok, so, if this outfit is part of a major international sporting events company with 25 years of experience, how come there is no mention of whom exactly this major company is?

Plus, as highlighted in various news reports, the contact details are inconsistent. The phone number is UK based, the office address is in Arizona. On this page it mentions that BeijingTicketing has "three international offices" -one in London, New York, and also Sydney. Alright; great, but then how come the only contact address is in Arizona?

Out of interest I decided to call the phone number given to see if I could book some tickets and I had a few questions for the sales person. Unfortunately, while the number in the UK actually connects, it just rings a few times and then goes dead. So, no luck getting tickets using the phone. Instead I decided to try out the e-ticket sales system. I selected tickets for the Tennis event and proceeded with the checkout, filled out a few standard contacts and billing forms. Then I was forwarded to the credit card information page using an SSL connection, and the tell tale padlock made its, usually reassuring, appearance. I filled in the form with obviously bogus information and interestingly, my transaction was successful!

What this suggests to me is that the backend is simply collecting personal information and is not running it through any credit transaction process at the time of collection. At the time of writing I see that this site is still live, and if you run an online search for "Olympic tickets" you will likely find that this scam site features prominently near the top of your search results.

The creators of this site have gone to great lengths to create a site that is extremely convincing, even down to the calendar of events and the amount of legitimate looking content on the site. Clearly this is the work of professional criminals looking to profit from even very savvy online users looking to enjoy an Olympic experience.

Please be careful and only ever purchase tickets to sporting events through the organizer's official ticketing partners and watch out for too good to be true offers such as last minute tickets to sold out events. As is always the case when it comes to buying anything online, buyers beware.

With that, we wanted to offer some tips to keep your online travels safe, even when you are away from home:

1. Don't let your laptop or PDA sprout mysterious legs. Leaving your laptop out in the open in your hotel room can often prove irresistible to a thief. Many thieves are even known to scour popular vacation or conference spots looking for someone who leaves their laptop alone. I'd go as far as to say that it's a good idea to be discreet about even having a laptop in the first place. Finally, along the same lines, with all the hoops people have to jump through at the airport, many passengers simply forget to put their laptops back in their bags at the security checkpoint. As a precautionary measure, you should encrypt your data before you travel. The last thing you would want is a thief getting their hands on a recent bank or credit card statement (or even pictures from your vacation last year).

2. Make sure all the critical software applications on your machine have up to date patches. This includes not only the core operating system, but also third party applications that you run - whether it's the software you use to purchase and play your favorite music, or simply what you use to view documents. Since you may find yourself surfing over less-than-friendly networks, it helps to ensure that you're not an easy mark for a cyber attacker.

3. Accidentally dropping your laptop while running to catch your flight can be hazardous to your data. And let's also not forget the risks associated with the person sitting next to you on the plane - whether they are looking over your shoulder or spilling a beverage on your device. A privacy screen can help keep your information secure. And backing up critical files can keep you calm if there is a spill.

4. Always run a comprehensive Internet security software suite that is up to date. While you are out and about, and connecting to the Internet in entirely unfamiliar locales, you should keep in mind that the network may not be completely secure. Therefore, it's good to keep your machine protected from the large number of malicious threats that surreptitiously traverse the roads of cyberspace.

5. Be careful of machines at the local cyber cafe or free internet kiosk - the last person to have used the machine may have unknowingly (or knowingly!) left a nasty piece of malware on there for you. In general, never use these machines to connect to a web site that requires you to type your password or for that matter don't type any sensitive information into these systems. For all you know, that information could be recorded and sent to an attacker half way around the world. In one instance we are aware of, travelers who failed to heed this advice had their brokerage accounts emptied because their passwords were recorded by keystroke loggers installed on machines in an Internet cafe. If you use your own computer at an Internet cafe, be sure that any sensitive information you enter into it is encrypted, either by using a virtual private network (VPN) or by ensuring that you are communicating over SSL.

The summer is a great time to relax and unwind. So, I hope you employ these tips and keep yourself virtually safe wherever you physically find yourself. Bon Voyage!

Password creation is a constant dance between security and convenience, where good passwords that bridge the gap are hard to come by. On the one hand, strong passwords, changed on a regular basis, do reduce the likelihood of success for a wide range of attacks. On the other hand, if you make something too complex, you run the risk of forgetting it-somewhat ironic evidence of its security.

So, the ultimate question is, how do you come up with passwords that are both strong and straightforward? It's something I've thought about on more than one occasion while staring at those twin text boxes, "New Password" and "Confirm New Password". So I put this question to a variety of folks within Security Response. What follows are methods used by people within the security industry to make passwords with a good balance of security and easy-of-use.

I want to preface this by stating that a strong password isn't the golden ticket to Internet security. There's been plenty of debate about the usefulness of passwords in today's world of exploits and social engineering tricks. Plus, if your password is picked off by a keylogger or spoof Web site, it's DOA no matter how complex. But passwords aren't going anywhere any time soon and strong ones do help keep your information safer.

Character substitution

Straight out of the Password 101 book, substitute numbers and special characters for letters that are similar in shape or sound: 3 for E, + for t, 8 for "ate". Vary capitalization as well. I'm mentioning these up front not because they're original, but to provide a word of caution. Most dictionary attacks these days take such substitution into account, and will often run these variations against common words. Simply put, something like "password" is not much more secure if spelled out as "P@55w0rD". Still, it's good practice, but should be coupled with other techniques.

A pinch of salt

A concept borrowed from cryptography, you can salt your passwords by adding a few pseudo-random characters. It could be anything from the year you got your first car to the number of claws your three-legged cat has. (Easily identifiable personal info, such as birthdates, is best avoided.) For example, I could take "cr4ck3rs", salt it with my weight in kilograms on Jupiter, and come up with "cr41ck36rs5". This technique makes dictionary attacks much more difficult, and significantly slows down brute force attempts.

Phrases from movies/songs

The world of movies and music provide a rich lexicon of phrases, ripe for password picking. There are the ones we all know, like "D0Uf33l|uckyPunk?" or "WH0|3L0++aLuv". Better yet, use lesser-known references ("Ch|03d0n'tKn0wB3++3r") or maybe play upon a plot thread instead ("0MG,Sh3W45aH3?!"). Of course, there's no limit to sources for such password phrases. Grab a sentence out of random book, try a quote from a comedian, or use a cheesy line from a newspaper advertising insert.

First letter sentences

Another twist on password phrases is to use the first letter of each word in a longer sentence. "Another world, another time, in the age of wonder" becomes "Aw,At,i+40W". This one also takes the teeth out of dictionary attacks, since it contains no words.

Other languages

Do you speak a second language? Do you want to? Try writing a sentence in another language, or simply incorporating a word or two into your password. Assuming your Italian is as "brutto" as mine, it's all the less likely it'll be figured out. (Still, be sure to include character substitution to avoid non-English dictionary attacks.) You could even mix it up with constructed languages, txt spk/lolcats grammar, or one of any number of language games.

Passwords as affirmations

Think of it as the Stuart Smalley approach. Need to watch the budget? ("S4v3S0m3$$") Spending too much time playing video games? ("L3t'sG0Ou+51d3") Tired of pining over the girl who lives in your building? ("A5kS4||y0ut") I'm not a psychologist, but typing in such a password on an average of eight times a day is bound to stick somewhere in the subconscious. Affirmations are more likely to be the types of things you wouldn't share with others as well, being more personal thoughts kept close to the chest. Just remember to keep them positive. "N0D0nut,ChuBBy" doesn't really help anyone.

Elements in page

Here's a clever one for Web-based accounts: create the password out of a combination of elements in the page. For example, if you were creating a password for the Symantec Technology Network, you could combine the first few letters of the dominant color on the page ("yellow"), the logo ("sphere"), and the last words on the page ("Contact Us"). To separate the different elements, insert a marker between each element ("Y3l!Sph!tUs"). There are two things to remember with this method. First, be sure to choose elements that are unlikely to change when the page is updated. Secondly, if you plan to use this for more than one site, establish a method you'll remember across various sites.

One final thing worth mentioning is that out all the responses I received, not one person used any of the above exclusively. In each case, most folks used a combination of the methods to shore up more secure passwords.

So there you have it. Hopefully there are enough interesting tips to finally retire that four-letter password you've used on multiple online forums for years. Still there's no need to go overboard, churning out the typing equivalent of a tongue twister. The key is to find a good balance between strength and ease-of-use.

The following spam subject lines have been seen:

Secret Plan To Kill Internet By 2012: Leaked?

PLAN TO KILL THE INTERNET BY 2012- Documented

2012: The year the Internet as we know it dies...

2012: The Year The Internet Ends

This certainly sounds devastating because many of us spend a rather large amount of our time, both as part of work and as part of life, online. Addition information on this apocalyptic event continues in the various body texts we have seen, including:

Every significant Internet provider around the globe is currently in talks

with access and content providers to transform the internet into a

television-like medium...

It's heresay, but I heard that the growth of the Internet will bring it to a

dead halt come about 2012. People are going nuts...

The reason why we're releasing this information is because we believe we can

stop it. More awareness means more mainstream media shedding light on it,

more political interest and more pressure on the ISP's to keep

the Internet an open free space...

It's happening and it could be as soon as 2010. There are documented facts

that the internet, as we know it today, will disappear. For those wondering

why we are experiencing "black holes" read on...

ISP's have resolved to restrict the Internet to a TV-like subscription mode

where users will be forced to pay to visit selected corporate websites by

2012...

Then there is the attachment, "doc.pdf." The file contains malicious code that is executed on the system when the file is opened. The malicious code is detected as Trojan.Pidief.A by Symantec products. So far, the attachment being used is the same across the board (MD5 - 4977c984367355f590a8bb159f76d94d9) but there's no guarantee that this will remain the case. As you can see by the graph below, the location of the presumably infected machines that are pumping out the spam emails is quite broad; however, the bulk of the spam is originating from the United States:

On underground economy servers, criminals sell a variety of illegal goods and services including bank account credentials, credit card numbers, and full identities. Typically, these goods are used for identity theft related activities. In the ISTR XIII, Symantec observed that the cost of a full identity was 10 times cheaper than it was at the beginning of 2007 and has gained in popularity to become the number three top ranked item advertised for sale. The contents of a full identity may vary, depending on the seller: it typically consists of a name, address, date of birth, phone number, and/or Social Security number. I've also seen sellers include extras such as driver's license number, mother's maiden name, email address, or "secret" questions/answers to entice buyers.

Most people associate identity theft with money as most reported cases involve criminals using the identity for activities such as obtaining credit cards, applying for loans, obtaining expensive medical or pharmaceutical treatments, or stealing homes. Financial identity theft is only one of the many types of identity theft that exists. The Identity Theft Resource Center (ITRC) categorizes identity theft into five major types: financial (the identity is used to obtain goods and services), criminal (the identity is used during a criminal investigation or arrest), commercial (the identity of a business is used to obtain credit), governmental (the identity is used to obtain government issued documents such as a passport or driver's license), and cloning (the identity is assumed by another and used on a daily basis).

Once a criminal purchases a full identity, it can be used to accomplish a variety of tasks, including making a lot of money. Usually, they change the victim's mailing address to route all mail, including credit card bills and financial statements to another location. The criminal can then conduct fraudulent activities without the victim's knowledge and make a tidy profit from them. And unless the victim diligently monitors their credit activity, it may take months to clear up these activities from their credit rating. A recent survey showed that, on average, criminals obtained $5,720 in goods and services from each fraud victim. Now's let's apply that to the 10 United States identities that I could buy for $10. This means that I could theoretically make a total of $57,200 from those 10 identities. Not a bad profit for a $10 investment in this day and age!

Microsoft's summary of the July releases can be found here:
www.microsoft.com/technet/security/bulletin/ms08-jul.mspx

1. MS08-040 Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)

CVE-2008-0085 (BID 30083) Microsoft SQL Server Memory Page Reuse Information Disclosure Vulnerability (MS Rating: Important / Symantec Urgency Rating: 6.1/10)

An information disclosure vulnerability affects SQL Server due to how it manages memory page reuse. An attacker with 'database operator' access can exploit this issue to gain access to potentially sensitive information. Information obtained may aid in further attacks.

Affects: SQL Server 7.0 SP4, SQL Server 2000 SP4, SQL Server 2000 Itanium-based Edition SP4, SQL Server 2005 SP1 and SP2, SQL Server 2005 x64 Edition SP1 and SP2, SQL Server 2005 with SP1 and SP2 for Itanium-based Systems, Microsoft Data Engine (MSDE) 1.0 SP4, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) SP4, Microsoft SQL Server 2005 Express Edition SP1 and SP2, Microsoft SQL Server 2005 Express Edition with Advanced Services SP1 and SP2, Microsoft SQL Server 2000 Desktop Engine (WMSDE), Windows Internal Database (WYukon) SP2, and Windows Internal Database (WYukon) x64 Edition SP2

CVE-2008-0086 (BID 30082) Microsoft SQL Server Convert Function Remote Memory Corruption Vulnerability (MS Rating: Important / Symantec Urgency Rating: 6.4/10)

A local privilege-escalation vulnerability affects SQL Server when converting SQL expressions from one data type to another. An attacker with authenticated access to the application could exploit this issue to execute arbitrary code with SYSTEM privileges. This issue may be remotely exploitable if an attacker can exploit latent SQL-injection vulnerabilities in web-based applications that use the vulnerable SQL server as a backend.

Affects: SQL Server 2000 SP4, SQL Server 2000 Itanium-based Edition SP4, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) SP4, and Server 2000 Desktop Engine (WMSDE)

CVE-2008-0107 (BID 30119) Microsoft SQL Server On-Disk Data Structures Remote Memory Corruption Vulnerability (MS Rating: Important / Symantec Urgency Rating: 6.4/10)

A local privilege-escalation vulnerability affects SQL Server due to how it validates data structures on disk files. An authenticated attacker could exploit this issue to execute arbitrary code with SYSTEM privileges.

Affects: SQL Server 7.0 SP4, SQL Server 2000 SP4, SQL Server 2000 Itanium-based Edition SP4, SQL Server 2005 SP1 and SP2, SQL Server 2005 x64 Edition SP1 and SP2, SQL Server 2005 with SP1 and SP2 for Itanium-based Systems, Microsoft Data Engine (MSDE) 1.0 SP4, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) SP4, Microsoft SQL Server 2005 Express Edition SP1 and SP2, Microsoft SQL Server 2005 Express Edition with Advanced Services SP1 and SP2, Microsoft SQL Server 2000 Desktop Engine (WMSDE), Windows Internal Database (WYukon) SP2, and Windows Internal Database (WYukon) x64 Edition SP2

CVE-2008-0106 (BID 30118) Microsoft SQL Server INSERT Statement Remote Memory Corruption Vulnerability (MS Rating: Important / Symantec Urgency Rating: 6.4/10)

A local privilege-escalation vulnerability affects SQL Server when processing 'insert' statements. An authenticated attacker can exploit this issue to execute arbitrary code with SYSTEM privileges. This issue may be remotely exploitable if an attacker can exploit latent SQL-injection vulnerabilities in web-based applications that use the vulnerable SQL server as a backend.

Affects: SQL Server 2005 SP1 and SP2, SQL Server 2005 x64 Edition SP1 and SP2, SQL Server 2005 with SP1 and SP2 for Itanium-based Systems, Microsoft SQL Server 2005 Express Edition SP1 and SP2, and Microsoft SQL Server 2005 Express Edition with Advanced Services SP1 and SP2

2. MS08-038 Vulnerability in Windows Explorer Could Allow Remote Code Execution (950582)

CVE-2008-1435 (BID 30109) Microsoft Windows Explorer 'saved-search' File Remote Code Execution Vulnerability (MS Rating: Important / Symantec Urgency Rating: 7.1/10)

A client-side remote code execution vulnerability affects Windows Explorer when handling specially malformed 'saved-search' files. An attacker must trick a victim into opening and saving a malicious 'saved-search' file with the vulnerable application to exploit this issue. A successful exploit will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Windows Vista and Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, and Windows Server 2008 for 32-bit Systems, x64-based Systems, and Itanium-based Systems

3. MS08-039 Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747)

CVE-2008-2247 (BID 30130) Microsoft Outlook Web Access for Exchange Server Email Field Cross-Site Scripting Vulnerability (MS Rating: Important / Symantec Urgency Rating: 7.1/10)

A cross-site scripting vulnerability affects Outlook Web Access for Exchange Server. The problem occurs due to a failure to properly validate email fields when opening mail from within a client's OWA session. An attacker must trick a victim into opening a specially crafted email to exploit this issue. A successful attack will allow the attacker to execute arbitrary actions with the permissions of the victim's OWA session.

Affects: Microsoft Exchange Server 2003 SP2

CVE-2008-2248 (BID 30078) Microsoft Outlook Web Access for Exchange Server HTML Parsing Cross-Site Scripting Vulnerability (MS Rating: Important / Symantec Urgency Rating: 7.1/10)

A cross-site scripting vulnerability affects Outlook Web Access for Exchange Server. The problem occurs due to a failure to properly validate HTML when rendering email within a client's OWA session. An attacker must trick a victim into opening a specially crafted email to exploit this issue. A successful attack will allow the attacker to execute arbitrary actions with the permissions of the victim's OWA session.

Affects: Microsoft Exchange Server 2007, and Microsoft Exchange Server 2007 SP1

4. MS08-037 Vulnerabilities in DNS Could Allow Spoofing (953230)

CVE-2008-1447 (BID 30131) Multiple Vendor DNS Implementation Insufficient Socket Entropy DNS Spoofing Vulnerability (MS Rating: Important / Symantec Urgency Rating: 6.1/10)

A vulnerability in multiple vendors implementations of the DNS protocol allows attackers to spoof DNS responses to poison the DNS cache. The problem occurs because of weak randomization in the Transaction ID (TXID) and UDP port used in DNS communications. A remote attacker can exploit this issue by sending specific queries to a vulnerable computer, and then respond with false or misleading information.

Affects: Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition SP2, and Windows Server 2003 with SP1 and SP2 for Itanium-based Systems.

CVE-2008-1454 (BID 30132) Microsoft Windows DNS Server Cache Poisoning Vulnerability (MS Rating: Important / Symantec Urgency Rating: 6.1/10)

A vulnerability in Windows DNS Server allows attackers to poison the DNS cache, potentially redirecting users to attacker-controlled sites. The problem occurs because under certain circumstances, a DNS server will accept a response from a nameserver for zones outside the server's authority.

Affects: Microsoft Windows 2000 SP4, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, and Windows Server 2008 for 32-bit Systems, and x64-based Systems.

More information on this and other vulnerabilities is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Microsoft's summary of the July releases can be found here:
www.microsoft.com/technet/security/bulletin/ms08-jul.mspx

1. MS08-040 Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)

CVE-2008-0085 (BID 30083) Microsoft SQL Server Memory Page Reuse Information Disclosure Vulnerability (MS Rating: Important / Symantec Urgency Rating: 6.1/10)

An information disclosure vulnerability affects SQL Server due to how it manages memory page reuse. An attacker with 'database operator' access can exploit this issue to gain access to potentially sensitive information. Information obtained may aid in further attacks.

Affects: SQL Server 7.0 SP4, SQL Server 2000 SP4, SQL Server 2000 Itanium-based Edition SP4, SQL Server 2005 SP1 and SP2, SQL Server 2005 x64 Edition SP1 and SP2, SQL Server 2005 with SP1 and SP2 for Itanium-based Systems, Microsoft Data Engine (MSDE) 1.0 SP4, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) SP4, Microsoft SQL Server 2005 Express Edition SP1 and SP2, Microsoft SQL Server 2005 Express Edition with Advanced Services SP1 and SP2, Microsoft SQL Server 2000 Desktop Engine (WMSDE), Windows Internal Database (WYukon) SP2, and Windows Internal Database (WYukon) x64 Edition SP2

CVE-2008-0086 (BID 30082) Microsoft SQL Server Convert Function Remote Memory Corruption Vulnerability (MS Rating: Important / Symantec Urgency Rating: 6.4/10)

A local privilege-escalation vulnerability affects SQL Server when converting SQL expressions from one data type to another. An attacker with authenticated access to the application could exploit this issue to execute arbitrary code with SYSTEM privileges. This issue may be remotely exploitable if an attacker can exploit latent SQL-injection vulnerabilities in web-based applications that use the vulnerable SQL server as a backend.

Affects: SQL Server 2000 SP4, SQL Server 2000 Itanium-based Edition SP4, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) SP4, and Server 2000 Desktop Engine (WMSDE)

CVE-2008-0107 (BID 30119) Microsoft SQL Server On-Disk Data Structures Remote Memory Corruption Vulnerability (MS Rating: Important / Symantec Urgency Rating: 6.4/10)

A local privilege-escalation vulnerability affects SQL Server due to how it validates data structures on disk files. An authenticated attacker could exploit this issue to execute arbitrary code with SYSTEM privileges.

Affects: SQL Server 7.0 SP4, SQL Server 2000 SP4, SQL Server 2000 Itanium-based Edition SP4, SQL Server 2005 SP1 and SP2, SQL Server 2005 x64 Edition SP1 and SP2, SQL Server 2005 with SP1 and SP2 for Itanium-based Systems, Microsoft Data Engine (MSDE) 1.0 SP4, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) SP4, Microsoft SQL Server 2005 Express Edition SP1 and SP2, Microsoft SQL Server 2005 Express Edition with Advanced Services SP1 and SP2, Microsoft SQL Server 2000 Desktop Engine (WMSDE), Windows Internal Database (WYukon) SP2, and Windows Internal Database (WYukon) x64 Edition SP2

CVE-2008-0106 (BID 30118) Microsoft SQL Server INSERT Statement Remote Memory Corruption Vulnerability (MS Rating: Important / Symantec Urgency Rating: 6.4/10)

A local privilege-escalation vulnerability affects SQL Server when processing 'insert' statements. An authenticated attacker can exploit this issue to execute arbitrary code with SYSTEM privileges. This issue may be remotely exploitable if an attacker can exploit latent SQL-injection vulnerabilities in web-based applications that use the vulnerable SQL server as a backend.

Affects: SQL Server 2005 SP1 and SP2, SQL Server 2005 x64 Edition SP1 and SP2, SQL Server 2005 with SP1 and SP2 for Itanium-based Systems, Microsoft SQL Server 2005 Express Edition SP1 and SP2, and Microsoft SQL Server 2005 Express Edition with Advanced Services SP1 and SP2

2. MS08-038 Vulnerability in Windows Explorer Could Allow Remote Code Execution (950582)

CVE-2008-1435 (BID 30109) Microsoft Windows Explorer 'saved-search' File Remote Code Execution Vulnerability (MS Rating: Important / Symantec Urgency Rating: 7.1/10)

A client-side remote code execution vulnerability affects Windows Explorer when handling specially malformed 'saved-search' files. An attacker must trick a victim into opening and saving a malicious 'saved-search' file with the vulnerable application to exploit this issue. A successful exploit will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Windows Vista and Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, and Windows Server 2008 for 32-bit Systems, x64-based Systems, and Itanium-based Systems

3. MS08-039 Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747)

CVE-2008-2247 (BID 30130) Microsoft Outlook Web Access for Exchange Server Email Field Cross-Site Scripting Vulnerability (MS Rating: Important / Symantec Urgency Rating: 7.1/10)

A cross-site scripting vulnerability affects Outlook Web Access for Exchange Server. The problem occurs due to a failure to properly validate email fields when opening mail from within a client's OWA session. An attacker must trick a victim into opening a specially crafted email to exploit this issue. A successful attack will allow the attacker to execute arbitrary actions with the permissions of the victim's OWA session.

Affects: Microsoft Exchange Server 2003 SP2

CVE-2008-2248 (BID 30078) Microsoft Outlook Web Access for Exchange Server HTML Parsing Cross-Site Scripting Vulnerability (MS Rating: Important / Symantec Urgency Rating: 7.1/10)

A cross-site scripting vulnerability affects Outlook Web Access for Exchange Server. The problem occurs due to a failure to properly validate HTML when rendering email within a client's OWA session. An attacker must trick a victim into opening a specially crafted email to exploit this issue. A successful attack will allow the attacker to execute arbitrary actions with the permissions of the victim's OWA session.

Affects: Microsoft Exchange Server 2007, and Microsoft Exchange Server 2007 SP1

4. MS08-037 Vulnerabilities in DNS Could Allow Spoofing (953230)

CVE-2008-1447 (BID 30131) Multiple Vendor DNS Implementation Insufficient Socket Entropy DNS Spoofing Vulnerability (MS Rating: Important / Symantec Urgency Rating: 6.1/10)

A vulnerability in multiple vendors implementations of the DNS protocol allows attackers to spoof DNS responses to poison the DNS cache. The problem occurs because of weak randomization in the Transaction ID (TXID) and UDP port used in DNS communications. A remote attacker can exploit this issue by sending specific queries to a vulnerable computer, and then respond with false or misleading information.

Affects: Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition SP2, and Windows Server 2003 with SP1 and SP2 for Itanium-based Systems.

CVE-2008-1454 (BID 30132) Microsoft Windows DNS Server Cache Poisoning Vulnerability (MS Rating: Important / Symantec Urgency Rating: 6.1/10)

A vulnerability in Windows DNS Server allows attackers to poison the DNS cache, potentially redirecting users to attacker-controlled sites. The problem occurs because under certain circumstances, a DNS server will accept a response from a nameserver for zones outside the server's authority.

Affects: Microsoft Windows 2000 SP4, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, and Windows Server 2008 for 32-bit Systems, and x64-based Systems.

More information on this and other vulnerabilities is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

- Hacked personal email account used to scam contacts

- Spammers simplify email harvesting technique

- China Earthquake tragedy used to spread viruses

- Olympics-related lottery scam emerges

- Bogus news events continue to be used by spammers to net innocent victims

Hacking personal email accounts, taking advantage of tragedies, and generating bogus news events are all part of the spammer arsenal in recent times. One of the more interesting developments we came across this month was particularly nefarious. Imagine that your personal email account is hijacked by a spammer who, without your knowledge, pretends to be you and proceeds to send emails to everyone on your contact list. That's exactly what happened. In this case, the spammer assumed the identity of the user, concocted a story about being trapped on a vacation in Nigeria, and requested money to assist leaving. This is sneaky because the email will look like it is indeed coming from a trusted source-a known person. In one case that Symantec observed, the spammer was able to gain access to some users' passwords for an online auction site and began bidding on computer equipment, which he also requested be shipped to Nigeria.

But what are the security implications of deploying NPUs on PCs? Each network card would need to have embedded software to run it; so basically, your network card becomes a computer within a computer that specializes in running network-related activities. Realizing this, the NPU network cards are likely to become a lucrative target for malicious activity.

Imagine a situation where NPU network cards are commonplace. Then, imagine a botnet that takes advantage of them. Malicious software could attack and potentially compromise an NPU network card without even bothering with the PC itself or the operating system running on it. If bot software controlled an NPU, it could eavesdrop on all network communications originating and terminating at the compromised computer, and it could carry out further attacks targeting other NPU network cards. And, it could do all of this without being detected by conventional antivirus methods. To malicious code writers, it could mean a fresh platform to perpetrate malicious activity. If such NPU cards could be manipulated, it is possible that software could be installed to generate any kind of network data, including spam, phishing Web sites, etc. The sky may be the limit.

Of course, there would be some natural caveats to this. It is likely that NPU network cards would be proprietary and closed systems that would make it difficult for attackers to reverse engineer. Also, there may be very little standardization between companies releasing NPU based cards, not to mention between different NPU card products released by the same company. In any case, to protect against something that didn't interface with a PC operating system there would need to be strong network-based detection schemes that could identify, quarantine, and disinfect infected cards.

John Doe, sitting in his office, was scrolling through email in his inbox when he noticed an email with this subject line:

Mail delivery failed: returning message to sender

John thought to himself, "Message delivery failed? Did my message to Jane get blocked?" He then proceeded to open the message and found that it was an online pharmacy spam message he had allegedly sent. John is initially puzzled because he never sent that message himself. Soon, he realizes that the message is NDR spam.

Symantec has observed a wave of non-delivery receipt (NDR) attacks over the past month. While this technique is certainly not new, a spike in volume was significant enough for us to take a deeper look. A lot of people are confused about these messages. Where do they come from? What is the purpose?

This spam type utilizes a crafty technique: rather than inserting the spam victims' email addresses in the "To" line of the message, NDR spammers insert the addresses into the "From" line. Next, the spammer sends that message to a server with a random inbox as the destination. This message travels to the destination, only to get bounced back to the original "sender" because the mailbox does not exist. Because the "From" line has been spoofed, the spam victim receives the bounced spam message.

Some mail servers are configured to include the entire original message in the bounce. This is the desired result of the NDR spammer, because the spam victim will look at the original spam when combing through the bounce message.

The spammer is gambling on the recipient having a higher likelihood of opening this type of message, since the subject line is vague enough to not indicate obvious spam. Most people use their email accounts daily and when they see a bounce message, the natural instinct is to open it up and check to see which of the sent messages was not received. Of course, if you haven't sent an email recently and you receive a bounce spam message in your inbox, the chances that it is NDR spam are quite likely. NDR spam appears to be the method of choice lately for spammers. The bottom line is, do not open bounce messages unless you have recently sent mail. Symantec is keeping a close eye on this current wave of NDR spam and as usual are working hard to implement measures to protect end users' email inboxes.

Recently, during her vacation to visit me, my sister forgot her cell phone and had to use her credit card in a pay phone to call me. Later that day, she tried to use the same credit card to check into her hotel and it was declined. After calling the credit card company, the man on the phone informed her that criminals often test stolen credit cards in pay phones to verify if it is still valid. Credit card companies know this and instantly put a hold on the card when this occurs.

Of course, this doesn't bode well for the criminal. They have checked if the card works and by doing so, it has been flagged and possibly deactivated. What is a criminal to do? What other methods can they use to verify the validity of the card but yet, still be able to buy that limited edition R2D2 DVD projector after the process? In a previous blog, it was observed that some criminals use the stolen credit card to donate a small amount to a major charity. If the transaction was successful, then they know the card is valid.

In the underground economy servers that Symantec monitors, I noticed that criminals are now offering "background check" services for credit cards. Not only are criminals concerned about the validity of the cards they purchase (the often use "fresh" in their ads to indicate that they are still valid), but they are also concerned about the validity of the numbers they are given and that all parts, such as the expiry date and CVV2 number, match up. (The "card verification value" is a three-digit number on the back of credit cards used for not-in-person transactions.) For example, one vendor offered checking services for expiration dates, CVV2 numbers, and dumps (information stored on the magnetic strip). For $10, the vendor will check 1000 CVV2 numbers against the corresponding credit card numbers. Quelle bargain!

Now, verifying a credit card number is pretty simple, since the major credit card companies use the Luhn algorithm for error checking. The Luhn algorithm can detect single-digit errors and transpositions in the card number, and is only used to validate credit card numbers. What about CVV2 and expiration dates?