CyTRAP Labs - Wincurity - smarter protection

Get the news first, save yourself time thanks to our e-mail service. It’s much more convenient.

E-mail this posting to your buddies, they will appreciate the information (see e-mail button at the end of this posting).

Previously we discussed the following issues:

> Biological viruses make us sick - how they differ from the digital menace
> CyTRAP Labs’ FAQ - how does an anti-virus program find malware on a computer
> CyTRAP Labs’ FAQ - best practices for home users against malware - the basics
> CyTRAP Labs’ FAQ - best practices for protecting your PC against malware

Sometimes it is difficult to run more than one anti-virus software package on a PC. However, you may be able to choose the disabling the real-time memory monitor option during installation. Turn that off and you should be conflict free.

It is still possible that two anti-virus packages on your machine could conflict with each other. If so, boot in Safe Mode and uninstall one of them.

If you have two running and one having the real-time memory monitor option turned off, use that software to give your PC a full scan every other week. Don’t be surprised if it finds some malware missed by your other security products.

What differs between anti-virus and anti-spyware software

Usually, the anti-virus package scans incoming e-mail for malicious code. Hence it is the perfect means for scanning incoming mail and an AV package may even shine in how it reveals incoming spyware.

However anti-virus products are not as effective as anti-spyware programs in detecting existing spyware infections. Here the anti- spyware products shine.

Hence, an anti-spyware product is the best choice for discovering spyware that has already infected your machine as outlined here:

> CASEScontact.org guide: the best ways for getting rid of spyware and stealthware

> CASEScontact.org Ratgeber: So wird man Spyware und Stealthware los

The AV program is best in discovering spyware that is trying to enter your computer.

Finally, intrusion detection software can also discover if things have been manipulated….

> Catching the Sony rootkit trying to do damage to your PC (coming soon on this blog).

Get the news first, save yourself time thanks to our e-mail service. It’s much more convenient.

E-mail this posting to your buddies, they will appreciate the information (see e-mail button at the end of this posting).

Previously we discussed the following issues:

> Biological viruses make us sick - how they differ from the digital menace
> CyTRAP Labs’ FAQ - how does an anti-virus program find malware on a computer
> CyTRAP Labs’ FAQ - best practices for home users against malware - the basics

Below we present a guide based on past experience. We have developed a malware best-practices check-list for home users to ensure your PC or mobile is as protected as well as possible from the threats all users face on a daily basis.Our malware best practices include the following key practices;

1. When we see bad malware situations it is almost always caused by a user’s surfing to non-trusted web sites. For instance, a user must understand that the two most common ways for malware infections are via
   > email and through
   > applications installed from Internet downloads.
2. The best best defense is following good security practices to get a triple benefit by:
>saving time,
>money, and
>grief (e.g., avoid loosing data)
3. Do not open e-mail attachments whatsoever, unless your friend advised you beforehand that he or she will send you a file, AND,
4. Do not download any programs or files unless it is from a trusted site (e.g., software vendor, Mozilla), which means that one MUST type in the Web address into one’s browser (do not copy and paste) when going to a site to download something (i.e. make sure it is not a fake site, see spyware tip CASEScontact.org guide: the best ways for getting rid of spyware and stealthware
5. Avoid visiting a site you do not trust or have no clue about, it may be an unnecessary risk you are taking.
6. Do not click on any URL http:// link given in an e-mail, instead re-type the link, copy it (CTRL C) and paste it (CTRL V) into your browser window. Then check it before hitting enter.

Stay-tuned the following days and weeks we will post:

> CyTRAP Labs - best practices - blended threats - catching the Sony BMG rootkit and other meanies,
> Fighting off blended threats - the basics

Get the news first, save yourself time thanks to our e-mail service. It’s much more convenient.

E-mail this posting to your buddies, they will appreciate the information (see e-mail button at the end of this posting).

Previously we discussed the following issues:

> Biological viruses make us sick - how they differ from the digital menace
> CyTRAP Labs’ FAQ - how does an anti-virus program find malware on a computer
> CyTRAP Labs’ FAQ - best practices for home users against malware - the basics

Using past experience as a guide, we have developed a malware best-practices check-list for home users to ensure one has set-up his or her PC or mobile’s anti-virus software most effectively. This should, of course, help in reducing threats all users face on a daily basis.

1. Be sure the signatures in your anti-virus software are up to date - check if the update is such that the software automatically updates itself (the usual default setting in most programs)2. Let the software automatically scan incoming e-mail and attachments .3. Choose a set-up that schedules a complete scan of your system weekly at regular intervals (same time, same day).To save time and grief, set the scan to run during a time when your computer is on but you regularly will do something else, such as every Sat. at 10:00 o’clock — when you will have gotten up and are normally taking your breakfast.A complete scan takes more than 3 hours for a 80GB hard-drive and it does slow down the system. Hence, it is wise to avoid using your computer during the scan.Be also aware that if your computer is not on, the full system scan will not happen.

You should also check the following related postings that are coming within the next week:

> CyTRAP Labs’ FAQ - best practices for home users against malware - the basics
> Fighting off blended threats - the basics

AntiVirus, CASEScontact, CyTRAP labs, CyTRAP Labs guide, CyTRAP Labs ratgeber, information security, malware, rootkit, security, social engineering, stealth, Trojan, virus, worm, Zero day, zero day vulnerability

Get the news first, save yourself time thanks to our e-mail service. It’s much more convenient.

Get your hands on the newsletter read by Europe’s IT security experts via e-mail by subscribing to CASEScontact.org

This week’s newsletter can be read online by visiting:

• CyTRAP Labs — EU IST News (ISSN 1600-1869) 2006/29

This week’s highlights are:

1. Greece is trying to cope with possible information security threats but time is running out
2. CyTRAP Lab’s Choice - GAME 02 - Summer 06 - Akuji - free of course
3. Best Practice - NIST 800-53A - Assessment Guidelines for Mandated Security Controls
4. Free source - Windows Server 2003 command reference guide

If you want past issues you get them here in the archive of CyTRAP Labs — EU IST News (ISSN 1600-1869)

Enjoy

Get the news first, save yourself time thanks to our e-mail service. It’s much more convenient.

E-mail this posting to your buddies, they will appreciate the information (see e-mail button at the end of this posting).

Recently we published:

> CyTRAP Labs’ FAQ - Microsoft Powerpoint - Zero-Day vulnerability - 2006-07-11 - 2006-07-16

In the same line, we thought that an FAQ about how virus scanners work might be of interest to you. Two approaches can be used to scan a PC’s hard-drive for malware, namely:

1. File scanners can detect malware on a hard drive before the infected programs are ever run. That is, before they ever infect one’s computer. This is done by having the scanner looking at each executable file on the hard disk seeing if it contains any suspicious signatures. The latter are compared to a specific set of characters in the malware file that allow it to be identified uniquely, in much the same way humans can identified by a fingerprint.
2. System scanners are best at detecting malware products that have already installed themselves on a computer. The scan focuses on special areas on one’s computer, such as checking if the Windows autostart area has been infected, whereby the malware will run automatically every time Windows starts. By scanning the autostart areas the malware entries can be detected. The scan can also detect if the malware made changes to the Windows Registry, another popular way of infection.

The anti-virus program uses the file scanning method when new e-mail arrives. System scanning is happening when one boots up or re-starts one’s machine. Hence, To assure that system scanning happens, smart users always re-start their PC or notebook before connecting to a Local Area Network (LAN).

A) does the version one intends to purchase have e-mail scanning (i.e. can it scan incoming e-mails or the hard-drive only)B) how quick are the latest threats added to the signature file updates (i.e. the database with virus signatures that the program checks against),C) the ability to pick up variants of existing viruses using heuristics.

Criterion A is not a great concern if you are not a person that clicks on attachments without having checked beforehand that the person that apparently sent the attachment really wanted to send it.

The second criterion can be a concern but again, depends on how cautious you are. Criterion C is clearly a technical issue that is rarely if ever addressed in so-called software tests in magazines.

One should also be aware that some viruses only replicate, though many can do severe damage to a computer system or a user’s data and all of them are a pain and cost you time.

You might also be interested to read this past post:

> Biological viruses make us sick - how they differ from the digital menace

Get the news first, save yourself time thanks to our e-mail service. It’s much more convenient.

E-mail this posting to your buddies, they will appreciate the information (see e-mail button at the end of this posting).

In the medical field or when it concerns our health, a virus is a microorganism smaller than a bacteria. It cannot grow or reproduce apart from a living cell. Hence, it invades the latter and uses the living cell’s chemical machinery to keep itself alive and to replicate itself.

Some viruses can change slightly in each infected person, making treatment more difficult.

Viruses cause many common human infections such as a cold or the flue or the acquired immunodeficiency syndrome (AIDS), which is caused by the human immunodeficiency virus (HIV).

The growth of a parasitic organism within the body is considered an infection. Hence, a parasitic organism is one that lives on or in another organism and draws its nourishment therefrom. An individual that has caught an infection has another organism (a “germ”) growing within her, drawing its nourishment from the person.

How does the above compare to a computer virus?
On the Internet, a virus is a destructive program that has the ability to reproduce itself and infect other programs or disks.

However, in contrast to bacteria, a computer virus is not a living mechanism as one defines it in the biological sciences.

==> A computer virus does not need a living cell to keep alive.
The computer virus may have a self-replicating mechanism, similar to the biological virus but, in contrast, the computer virus must be activated first before it can self-replicate

Consider a system that quarantines attachments for at least 6-12 hours to allow anti virus signatures to catch up.

This may not be acceptable for a lot of organizations, but in particular right now, with a known exploit, it may be a reasonable step.

> CT110050: UPDATE - CASEScontact.org advisory - zero-day exploit -Microsoft Word - GET PATCH

Usually this occurs through a user action, such as clicking on a file attachment that results in executing the virus code.

Once the computer virus has been activated, it may replicate itself on the infected system or perform other malicious actions as it was programmed for.

A computer virus infection means that malicious code is drawing upon the PCs resources (e.g., ram or using disk space) to perform tasks that were not authorized by the user.

Definitions follow from CyTRAP Labs’ jargon glossary:

Get more information below by clicking on ‘Login as a guest’ to get the definitions below, no registration required or else get a free registration to get access, it is worth it.

> What is a virus?
> What is a worm?
> What is a Trojan or Trojan Horse?
> What is malware?
> What is a blended threat?

Please remember

A virus, such as the common cold, is being spread through the air (e.g., people sneezing on plane where the air is being re-used until touch down). Hence, it may enter the person when he or she breads, uses a previously used glas before it is being washed, by a person touching a door nob somebody else with a cold used previously, and so on.However, a computer virus cannot spread itself from one system to another - human help is needed. People have to swap diskettes, trade programs or exchange files or e-mails via a network or the internet in order to be infected by a virus. So the tips given in this document should be followed to minimize risks.

Stay-tuned the following days and weeks we will post:

> Biological viruses make us sick - how they differ from the digital menace
> CyTRAP Labs’ FAQ - best practices for protecting your PC against malware
> CyTRAP Labs’ FAQ - best practices for protecting your organization’s systems against malware
> and more

Get the news first, save yourself time thanks to our e-mail service. It’s much more convenient.

E-mail this posting to your buddies, they will appreciate the information (see e-mail button at the end of this posting).

This is a serious vulnerability that we consider highly critical. Hence we publish this Frequently Asked Questions (FAQ) document for your benefit.

Q: What is this latest Microsoft PowerPoint 0-day vulnerability?
A: This previously unknown vulnerability is caused by an unknown error when processing malformed PowerPoint documents. The detailed characteristics is not publicly known, but the component being exploited is mso.dll (a shared Office library).

We gave an update on CASEScontact advisory: Zero-day vulnerability with Microsoft Powerpoint - remote code execution - 2006-07-14

This flaw has been used in several e-mail attacks against unknown organizations. Microsoft has confirmed these .

Q: Is this one of the critical vulnerabilities reported on 11th July with MS July Security Bulletins?
A: No. This is new, unpatched vulnerability. Vulnerabilities fixed in MS06-038 etc. are different issues.

Q: What Windows versions are affected?
A: See here CASEScontact advisory - Update 1 - Zero-day vulnerability with Microsoft Powerpoint - remote code execution - 2006-07-16 - under Systems affected.

This vulnerability has been known since July 11, Microsoft acknwowledged it on July 14, exploits with targeted attacks are in progress as you read this.

Q: Is Microsoft PowerPoint for Mac affected in this vulnerability?
A: There is no official information about this. US-CERT lists Mac versions affected too.

Q: Where are the official Microsoft documents related to this case located?
A: Documents published by Microsoft are located at Microsoft Security Response Center (MSRC) Blog site

> Microsoft Security Response Center (MSRC) blog site - Powerpoint 0-day vulnerability

Q: How can I protect from this vulnerability?
A: The best advice is to use anti-virus software and check that virus signature files are up-to-date.Q: Is the exploit code of this vulnerability publicly released?
A: UPDATE: Yes. Three separate Proof-of-Concepts have been posted to public, non-moderated and moderated security mailing lists on 15th July. These PoCs has been tested against PowerPoint version 2003. However, it is reported that these PoCs demonstrate new, different vulnerabilities.

Q: Does this mean that there are several, unpatched vulnerabilities in PowerPoint?
A: According to the newest information answer is yes.
PoCs introduce the following three vulnerabilities:

1. 1 memory corruption
2. mso.dll
3. powerpnt.exe

Q: Is it safe to open any .PPT files any more?
A: It is very important not to open PowerPoint files from unknown sources. However, files from familiar sources can cause an infection too if a spoofed e-mail is being used.

Q: Are there any visual effects informing about the infection?
A: Yes. Go here for more information at: CASEScontact advisory - Update 1 - Zero-day vulnerability with Microsoft Powerpoint - remote code execution - 2006-07-16

Q: Are there any special features included to the way how this new Trojan works?
A: Yes. It can inject itself to Explorer process.

Get the news first, save yourself time thanks to our e-mail service. It’s much more convenient.

Get your hands on the latest content via e-mail by subscribing to CASEScontact.org

Get the ENGLISH SUMMARY at the bottom of this message.

Diese Woche war wieder Patch Tuesday mit Microsoft und CASEScontact.org hat natuerlich eine Warnung publiziert:

> CASEScontact.org advisory: MS Patch Tuesday - July 2006 - 2 Microsoft Security Bulletins affecting Microsoft Windows, 3 affecting Microsoft Office

Im weiteren gab es gestern Freitag auch noch einen 0-Tag Exploit welcher Windows Office und Powerpoint Anwender Probleme bereiten kann. Dazu hat CASEScontact.org eine Warnung erstellt. Wichtig ist, dass diese Ihnen auch auf einfache Weise erklaert wie sie die Einstellung bei Windows aendern koennen damit Sie geschuetzt sind. Ebenfalls wird erklaert wie eine E-Mail mit dem Virus als Anghang in einer Powerpointdatei aussehen wuerde, falls Sie diese eralten.

> CASEScontact.org advisory: Zero-day vulnerability with Microsoft Powerpoint - remote code execution

Schauen Sie sich die Warnungen mal an, es lohnt sich fuer Sie.

==>

English Summary

This week we had Microsoft’s monthly Patch Tuesday to deal with and a whole bunch of patches rated critical were coming our way. CASEScontact.org has published an advisory with all the important info in telegram style for your perusal:

> CASEScontact.org advisory: MS Patch Tuesday - July 2006 - 2 Microsoft Security Bulletins affecting Microsoft Windows, 3 affecting Microsoft Office

Yesterday, Friday a 0-day vulnerability was reported that is currently being exploited in the wild that affects Windows Office and Powerpoint users. CASEScontact.org relased an alert. Important is that it outlines succinctly and in easy language what you must change in Windows to protect yourself against this highly critical threat. As well, how an e-mail could look like having this infected Powerpoint attachment is illustrated as well.

> CASEScontact.org advisory: Zero-day vulnerability with Microsoft Powerpoint - remote code execution

Check it out, you’ll be glad you did.