Category: Warnings

So far there are no reports of SDBot-UH in the wild but the inclusion of selective network sniffing along with keystroke logging features and other backdoor capabilities has security researchers worried.

Sniffers are designed to monitor network traffic. They are widely used for network performance diagnostics but in this instance their function has been turned to malign purposes. Bundling a network sniffer with an auto-propagating worm makes it easier for hackers to harvest usernames and passwords than would otherwise be the case.

The sniffing capabilities of SDBot-UH worm focus on phrases associated with network logins and Paypal accounts. It also tries to steal the CD keys of games, according to an advisory by AV firm Trend Micro.

Patrick Nolan, a security researcher at the Internet Storm Center, warns: “If the Trojans described by Trend can successfully transmit the filter’s packet captures back to the owner, they are going to cause problems well beyond typical bot infestation issues.”

SDBot-UH uses a variety of well-known Microsoft exploits to spread. It also looks for weak usernames and passwords to gain access to target machines. Malicious sniffers can be difficult to detect but Netcraft points to a number of tools such as Sentinel and AntiSniff that can be used to detect sniffers on a network.

http://www.theregister.co.uk/2004/09/14/network_sniffer_worm/

Microsoft made available to customers in August a couple of different tools to temporarily disable the delivery of SP2 to users machines via its Windows Update/Automatic Update patching services. A number of customers had requested these tools, claiming they were not ready to take delivery of SP2, as they had not tested SP2 adequately to make sure it did not break their applications. Originally, the tools were set to postpone delivery via Windows Update/Automatic Update for 120 days, starting August 16. But on September 7, Microsoft extended this deadline to 240 days (April 12th 2005).

Microsoft has acknowledged that a number of applications, including several of its own, do not work properly with SP2 unless certain settings are changed. And a number of third-party hardware and software vendors still have yet to provide patches and updates to their products that will allow them to work with SP2.

This fall, Microsoft will be reaching out to this user base via its “Protect Your PC” campaign, in an attempt to make sure as many XP users as possible install the SP2 update.

http://www.microsoft-watch.com/article2/0,1995,1643908,00.asp?kc=MWRSS02129TX1K0000535

Now that the long-awaited 802.11i standard for enhanced WLAN security has been ratified, can IT assume that WLANs have grown as secure as their cabled counterparts? Much of it has already been available for about 18 months in an 802.11i subset called Wi-Fi Protected Access (WPA). And while standards-based security technology plays a big part in protecting enterprises, the issues reach beyond a signed set of technical specs.

For example, there’s a broad installed base of specialized client devices, such as bar code scanners, that run the MS-DOS operating system. They are not upgradable, even to earlier versions of authentication and encryption, let alone to 802.11i, which requires Advanced Encryption Standard protection. As enterprises expand their WLANs, these legacy devices might well become the weakest link in the wireless security chain.

And some administrators lack confidence in their ability to properly implement the various pieces of WLAN security, particularly since new attacks regularly make headlines. WPA also uses the industry-standard 802.1x framework for strong user authentication. And AES, the U.S. government block-cipher standard for 128-bit data encryption, replaces the RC4 stream-cipher encryption that WEP and WPA use.

Through 2006, 70% of successful Wi-Fi attacks will occur as a result of the misconfiguration of APs and client software, according to Gartner Inc.

This is why the Bethesda, Md.-based SANS Institute, which offers information security training and certification, recommends regular wireless audits. For example, if an enterprise has adopted 802.1x and has selected Protected Extensible Authentication Protocol, one of several available authentication methods, network administrators should regularly check that all APs are indeed configured for PEAP. In addition, airborne packets should be regularly examined using a wireless protocol analyzer to verify that they are actually using the EAP method selected.

Another recommended practice is treating the WLAN as an untrusted network, like the Internet, and putting a firewall or gateway where wireless and wired networks meet.

Most enterprises will select an EAP authentication method based on the type of database they have. Cisco’s broadly deployed Lightweight EAP supports easier-to-manage username/password schemes but is prone to off-line dictionary attacks in shops that can’t enforce strong password policies. LEAP also supports mutual authentication, an 802.11i recommendation, as do PEAP and another common method, EAP-Tunneled Transport Layer Security. Less than 30% of devices in the field are outfitted with mutual authentication today, leaving many deployments exposed.

Even the world’s largest WLAN operator — Microsoft Corp. — isn’t using WPA yet on its 4,500-AP WLAN, built on APs from Cisco Systems Inc. Many of Microsoft’s older APs are first-generation technology and are not WPA-capable. Microsoft is poised to make a wholesale change to its global WLAN infrastructure, which supports about 100,000 unique mobile devices. “11i is our main goal, but we can’t move to it yet because no NICs support it,” says Don Berry, the wireless network engineer who has overseen Microsoft’s global WLAN implementation since 1999. He estimates that less than 30% of devices in the field are outfitted with mutual authentication today, leaving many deployments exposed.

http://www.computerworld.com/mobiletopics/mobile/technology/story/0,10801,95411,00.html?f=x596%3E

The list includes several widely used Microsoft products including SQL, Visual Studio .Net and SMS 2003 Server. The list can be found under the heading ‘Some programs that seem to stop working when you install Windows XP Service Pack 2’ on Microsoft’s website.

Unfortunately for a security-focused offering, XP SP2 also created problems with Symantec’s Antivirus Corporate Edition 8.0, MacAfee’s NetShield 4.5 and CA’s eTrust 7.0.

Some games that run on XP also come to grief following the installation of the service pack, including Scrabble 3.0 and two versions of Unreal Tournament.

Microsoft doesn’t give hints on how to resolve the conflict with the games but points users in the direction of the original vendor, with the instructions “see the documentation”. For its own offerings, however, the software behemoth is more helpful.

As Redmond highlights itself, the programs just “appear” to stop working and can be coaxed back into life if you follow the instructions given for each individual program on the Microsoft website. The conflicts mainly stem from the SP2 tendency to shut certain ports or block ‘unsolicited connections’ – often a sign of malware, spyware or other unwanted visitors. Microsoft’s CRM product won’t work with a SP2-equipped machine, full stop. Gates and co have already issued a fix for the incompatibility.

It’s just such incompatibilities that have prompted IBM to advise its staff to not install the service pack for fear it might conflict with business-critical applications.

http://management.silicon.com/itpro/0,39024675,39123186,00.htm?nl=d20040817

The attack, which had turned some Web sites into points of digital infection was nipped in the bud on Friday, when Internet engineers managed to shut down a Russian server that had been the source of malicious code for the attack.

Compromised Web sites are still attempting to infect Web surfers’ PCs by referring them to the server in Russia, but that computer can no longer be reached.

Still, Web surfers should still take care, as this type of attack is increasingly being used by the Internet underground as a way to get by network defenses and infect officer workers’ and home users’ computers.

A large financial client called in Symantec in late April after an employee used Internet Explorer to browse an infected Web site and his system became infected.

Last fall, a similar attack may have been facilitated through a mass intrusion at Interland, said sources familiar with that case.

The Internet Explorer flaws that allowed the Russian attack, however, affect every user of the Web browser, because Microsoft has not yet released a patch. “We are not seeing that this threat is widespread, but we believe the threat to be real,” said Stephen Toulouse, security program manager for Microsoft’s security response center.

http://techrepublic.com.com/5102-6265-5248320.html