Consumer Threat Alert: New "Here You Have" Worm Delivers Unwanted Gift

 

 

Share this on:     Security Advice Center  |  Products   New "Here You Have" Worm Delivers Unwanted Gift Global mass mailing worm masquerades as business message but links to malware, McAfee Labs warns A new Internet worm dubbed "Here You Have" is streaming into worldwide inboxes, offering a dangerous payload, according to McAfee Labs. The worm, which travels via spam email with the subject line of "Here you have," or "Just for you," masquerades as an email with a link to a video or an attached document file. However, the email actually contains a link to a malicious program that can disable security software and send itself to all the contacts in the recipient's address book. Corporations around the world were particularly affected by the worm on Thursday as it clogged up their email systems. Consumers could be affected as they go home and log onto their machines. For this reason, McAfee Labs has labeled the worm as a "medium" risk, and warns all computer users to delete any email with the "Here you have," or "Just for you," subject line. Although the dangerous link has been taken down, neutralizing the threat, it can still spread through remote machines, mapped drives and removable media, Labs warns. If you have an up-to-date and properly configured McAfee security software product then you are protected against this threat. The Hook: You receive a spam email with the subject line "Here you have," or "Just for you," and a link or attachment that looks like it leads to a video or document file. It may appear that the email comes from someone you know. The Methods: The email invites you to click on the link, and once you do it prompts you to download a file. This file is actually malware that disables the security software on your machine and sends itself to everyone listed as a contact in your address book. The Dangers: Once you are infected, your computer has diminished security protection. Your machine is also being used to spam your friends and contacts. If you are on a corporate network, the network could be clogged as the worm works its way through address books. Bottom Line: Do not click on the link in any email with the subject header "Here you have," or "Just for you," even if it appears to be from someone you know. Tips to Avoid Becoming a Victim: 1.     Never click on a link in a spam email or IM from someone you don't know. Be suspicious of strange emails from family or friends: their accounts may have been compromised. 2.     Use comprehensive security software, like McAfee Total Protection™ software, to protect you from viruses, spam, and other Internet threats, and keep the software up-to-date. Save on McAfee Total Protection or try it free for 30 days. 3.     Set your operating system and browser to automatically apply updates.

 

Microsoft Security Articles

Security  Articles

Microsoft Malware Protection Center  Website | RSS Feed
MSRT May Threat Reports and Alureon  - 22-May-2010
MSRT May Threat Reports and Alureon   - 22-May-2010

Microsoft Security Response Center MSRC  Website | RSS Feed
Security Advisory 2028859 Released  - 18-May-2010

MSRC Ecosystem Strategy  Website | RSS Feed
Strengthening the Security Cooperation Program  - 17-May-2010
Project Omega Launch at AusCERT  - 17-May-2010

Security Bulletins Advisories  Website | RSS Feed
Microsoft Security Advisory (2028859): Vulnerability in Canonical Display Driver Could Allow Remote Code Execution - 5/18/2010  - 18-May-2010

Security Bulletins Comprehensive  Website | RSS Feed
Microsoft Security Bulletin Summary for May 2010  - 19-May-2010
MS10-030 - Critical: Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution (978542) - Version:1.2  - 19-May-2010
MS10-031 - Critical: Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (978213) - Version:1.1  - 19-May-2010


Security Products Forefront  

Forefront Client Security  Website | RSS Feed
Pardon our dust….  - 17-May-2010
Pardon our dust….  - 17-May-2010

Forefront Product Suite  Website | RSS Feed
Issuing information cards with AD FS 2.0: Community Technology Review released  - 21-May-2010

Forefront Server Security  Website | RSS Feed
Introducing the Forefront Protection 2010 for Exchange Server capacity planning tool  - 21-May-2010
Check out this new video overview of Forefront Protection 2010 for SharePoint  - 20-May-2010

Forefront Threat Management Gateway ISA Server  Website | RSS Feed
Announcing the availability of the new MRS (V1.1) release  - 18-May-2010

Forefront Unified Application Gateway UAG  Website | RSS Feed
DirectAccess and Teredo Adapter Behavior  - 21-May-2010
UAG DirectAccess Test Lab Guide CRL Check Update  - 20-May-2010
Introduction to “The Edge Man”  - 18-May-2010
Configuring an External Load Balanced UAG DirectAccess Array for an IPv4 Only Network  - 17-May-2010

No-Cost Antivirus and Antispyware Tools from Microsoft

Sign up for other newsletters | Unsubscribe | Update your profile

Get no-cost antivirus, antispyware, and other security tools Concerned about your computer becoming infected with a virus, spyware, or other malicious software? Who isn't? One quick, easy way that you can help protect your PC is by downloading Microsoft Security Essentials. It provides real-time protection against malicious software, and it's easy to install, simple to use, and free. Learn more about Microsoft Security Essentials, plus discover other free security tools from Microsoft for additional protection. Security updates for May 11, 2010 The bulletin for May includes two security updates: one for the Windows operating system and one for Microsoft Visual Basic. Get updates from Microsoft Update See a summary of the updates Watch a short video about the updates Microsoft security news Support for Windows XP with Service Pack 2 ends July 13, 2010 Support is ending for some versions of Windows. Learn how to determine which version and service pack you're running, and what end of support means for you. Microsoft releases new Security Intelligence Report Get Microsoft's latest analysis of the leading security threats to your PC. Download Security Intelligence Report Volume 8 or see a summary of key findings. "Rethinking the Cyber Threat" Microsoft Corporate Vice President of Trustworthy Computing Scott Charney outlines a framework for creating more effective cyberattack responses. Read Charney's message or download the full paper. Protect your computer Get virus help from a local security expert If you think your computer is infected with a virus or spyware, you can call Microsoft support or even find a local computer expert to help you. Here's how. See if your Windows operating system has protection built in There are four basic steps to help protect your computer. Check to see if your version of Windows has these features built in. Protect yourself and your family How to reduce your risk of online fraud This article offers the basics on protecting yourself from identity theft online. Learn three common online scams, where you might see them, and six telltale signs of a scam. Plus, find advice on how to avoid scams and where to report possible fraud. You've inherited money! Or not We try to keep you alerted to the latest Internet scams. Last month it was the MSN Auto Protection scam and the UPS package delivery scam. This month it's the windfall inheritance scam. Should I surf the web in Protected Mode? To help protect against spyware, make sure that you surf the web in Protected Mode in Internet Explorer. Learn what Protected Mode does and how to ensure it's on. Security resources Microsoft Online Safety: online safety and privacy education Microsoft Security: the latest in computer security Security Tips & Talk blog Microsoft Consumer Security Support Center About this newsletter Microsoft Security for Home Computer Users is a monthly newsletter bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive more technical security information, see the Microsoft Security Newsletter.

© 2010 Microsoft Corporation Terms of Use | Trademarks

MVP Announce: Alert - McAfee Update Causing Windows XP Machines to Shut Down

What is the purpose of this alert?

Microsoft has been made aware of an issue with a McAfee DAT file update - released Wednesday, April 21, 2010 - that has been causing stability issues on Windows XP client systems. The symptom is caused by a false-positive detection on a core Windows file (svchost.exe). Once the file is quarantined by McAfee, the system may encounter one of the following symptoms:

·                                 The computer shuts down when a DCOM error or a RPC error occurs

·                                 The computer continues to run without network connectivity.

·                                 The computer triggers a Bugcheck (Blue Screen). 

The DAT file version that that caused the problem is McAfee DAT 5958. This file was propagated to client machines that conduct automatic updates of definition files. McAfee updated the DAT file soon after the problem was identified with a new version that does not cause the problem.

 

Resolution Steps

 

Please review the following KB Articles for specific steps to resolve the issue on systems that are affected.

 

McAfee KB Article:

https://kc.mcafee.com/corporate/index?page=content&id=KB68780

 

Microsoft KB Article:

http://support.microsoft.com/kb/2025695

 

Recommendations

 

We recommend customers affected by this symptom first review the McAfee KB Article referenced above. For further assistance, customers should contact McAfee. Customers who are unable to resolve the issue through these means can contact Microsoft for technical support using resources found on this Web page: http://support.microsoft.com/.

 

Regarding Information Consistency

 

We strive to provide you with accurate information in static (this mail) and dynamic (Web-based) content. Microsoft’s security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s Web-based security content, the information in Microsoft’s Web-based security content is authoritative.

 

 

 

 

My Article in January 2010 Edition of the Hakin9 Magazine

One of my articles have been published in the January 2010 edition of the Hakin9 International IT Security Magazine. The articles title is The Fear Factor - Study of a new genre of malwares called "Scarewares" Edition Link: http://hakin9.org/magazine/995-hardware-keylogger-a-serious-threat

Increase in Web Malware Activity

There have been many discussions in various Forums, Blogs and Message Boards that the Web has now become the primary vehicle for the Malwares to enter our networks. For more details about such a presentation, please refer to the WebCast “Web Attacks: How Hackers Create and Spread Malware”, presented by Chris McCormack (Web Security Expert - Sophos) and Fraser Howard (Principal Researcher - Sophos). It is very scary, as pointed out in this WebCast, that there is no such thing as a trusted website. Even the most legal site can become the epicenter of spreading out Malware infections. From the popular social networking sites to private/public discussion boards, web sites and blogs, anything can become the harboring ground of these Web Malwares. The table below, taken from Kaspersky Security Bulletin (Statistics 2008), shows the number of Web Malwares detected in some of the popular social networking site. This statistics is compiled by comparing the number of malicious programs that attacked users of different social networking sites.

Social Networking Site	Malwares Detected (2008)	Registered Users (2008)
Odnoklassniki (www.odnoklassniki.ru)	3302 Malwares	22000000 Users
Orkut (www.orkut.com)	5984 Malwares	67000000 Users
Bebo (www.bebo.com)	2375 Malwares	40000000 Users
Livejournal (www.livejournal.com)	846 Malwares	18000000 Users
Friendster (www.friendster.com)	2835 Malwares	90000000 Users
Myspace (www.myspace.com)	7487 Malwares	253000000 Users
Facebook (www.facebook.com)	3620 Malwares	140000000 Users
Cyworld (us.cyworld.com)	301 Malwares	20000000 Users
Skyblog (www.skyblog.com)	28 Malwares	2200000 Users

Source: Kaspersky Security Bulletin (Statistics 2008)

Similarly, the below graph shows the sudden increase of Web Malwares activity related with some of the popular social networking sites.

Source: Kaspersky Security Bulletin (Statistics 2008)

Recently it was discovered that social networking sites were getting used as botnet command control. Arbor Network Security reported that, they have identified a Twitter account that was being used as part of an update server for infected systems that were part of a botnet. This account was issuing base 64 encoded tweets that pointed to links where the infected computers could receive malware updates from. Almost similar kinds of botnet command control mechanism were also detected in Tumblr & Jaiku as well. These bots were using RSS feed to get the status updates.

It was pointed out by Google that ‘1% of all search results contained at least one result that point to malicious content and the trend seems to be increasing’. Of the billions of web pages that they have investigated, more than 3 million unique URLs on over 180,000 web sites automatically install Malwares by drive-by download. Shown below are some of the interesting statistics of Malware activity identified in the Web. These interesting trends were observed by the Google Security Team.

Source: Google Online Security Blog

The above graph shows the percentage of daily queries that contain at least one search result identified as Malicious.

Source: Google Online Security Blog

The above graph shows the number of entries in the Google Safe Browsing Malware List. It becomes obvious from these graphs that in the last few years there has been a constant increase of Web related Malwares. The Google research paper on this increasing trend of Web Malware activity, as observed by the Google Security Team, can be referred to from the URL mentioned below in the reference section of this article (Google Research).

Taken from Kaspersky Monthly Malware Statistics, the below table shows the top twenty Web Malwares with new infections detected (highlighted in yellow) and the number of infected web pages.

Position	Malware Name	Infected Web Pages
1	Trojan-Downloader.JS.Gumblar.a	8538
2	Trojan-Clicker.HTML.IFrame.kr	7805
3	Trojan-Downloader.HTML.IFrame.sz	5213
4	Trojan-Downloader.JS.LuckySploit.q	4719
5	Trojan-Downloader.HTML.FraudLoad.a	4626
6	Trojan-Downloader.JS.Major.c	3778
7	Trojan-GameThief.Win32.Magania.biht	2911
8	Trojan-Downloader.JS.ShellCode.i	2652
9	Trojan-Clicker.HTML.IFrame.mq	2576
10	Exploit.JS.DirektShow.o	2476
11	Trojan.JS.Agent.aat	2402
12	Exploit.JS.DirektShow.j	2367
13	Exploit.HTML.CodeBaseExec	2266
14	Exploit.JS.Pdfka.gu	2194
15	Trojan-Downloader.VBS.Psyme.ga	2007
16	Exploit.JS.DirektShow.a	1988
17	Trojan-Downloader.Win32.Agent.cdam	1947
18	Trojan-Downloader.JS.Agent.czm	1815
19	Trojan-Downloader.JS.Iframe.ayt	1810
20	Trojan-Downloader.JS.Iframe.bew	1766

Source: Kaspersky Monthly Malware Statistics

Web Malwares have become a major contributor to this growing Malware menace. According to ScanSafe's Annual Threat Report, on an analysis of 200 billion web requests they came to a conclussion that web malware infection surged 582 percent last year, with a significant increase visible toward the last quater of 2008. Security researchers at AVG Technologies have observed that the number of new infected Web sites has grow by 66 percent, from 100,000 to 200,000 per day to 200,000 to 300,000 per day it is expected that this trend would continue in days to come.

Since 2006, the number of Malware signatures of most of the Antivirus vendors has doubled. But with new variants getting created, newer methods of infection and increase in the numbers of distribution points, which are mainly compromised websites, this has resulted in a situation where the Antivirus vendors are now finding it difficult to block these threats, hence, resulting in misses in Malware detection. Earlier Antivirus companies were blocking a major portion of these Malwares with dedicated and generic signatures. However today, it has become literally impossible to block these Malwares with older methodologies. The below statistics (Jan-Jun 2009) shows the misses by some of the major Antivirus engines to detect Malwares and this trend has increased off late.

Source: CommTouch Labs

After calculating an average daily detection rate of some of the major Antivirus vendors, it was revealed by Cyveillance, a cyber-intelligence gathering company, that none of these Antiviruses were going over the 50% mark as far as successful detection is concerned. The top five scores came from McAfee (44 percent), Sophos (38 percent), Dr. Web (36 percent), Symantec (35 percent) and Trend Micro (34 percent). The list also had details of AVG (31 percent), F-Secure (28 percent), ESET (27 percent), Sunbelt (26 percent), F-Prot (23 percent), Norman (23 percent), Kaspersky (18 percent) and VirusBuster (16 percent). Similarly, Panda Security Research also reported that, out of 1.5 million home computers they looked into, only 37.45 percent were correctly protected with an active anti-malware solution with the latest signature database and out of these protected computers, 22.97 percent had active malware infections which were undetected by the anti-malware solution. This is because, more than 52 percent of the Malwares will get reconfigured within 24 hours of its first release so that they can evade signature-based scanners. They also audited a total of 1,206 companies' network. These networks were protected by a variety of different security vendors and in 69.34 percent of the cases they were correctly protected. However they still found thay 71.79 percent systems of these networks were actively infected with Malware.

Heap Spraying

Heap spraying is a technique which is implemented using Javascript and the sole purpose is arbitrary code execution. Although heap spray exploits has been in use since 2001 but since 2005 a more widespread use of this technique is seen in exploits targeted for web malwares. Let us now see what actually heap spraying is and how it is done.

A vulnerable application (in this case, browsers like IE or Firefox), because of certain illegal operation due to badly coded error handling modules, can jump into invalid memory addresses. Once it jumps to those memory addresses it is unable to read data from that invalid memory address resulting in an application crash. When the application crashes it throws a popup as shown below:

Now, depending on the nature of the vulnerablity in the application, we can inject the heap with "nop + shellcode", as much as possible, untill the invalid memory address gets overwritten with "nop + shellcode" and becomes a valid memory. By this we can create a scenario where we can ensure that our custom "shellcode" gets executed the next time a similar illegal operation happens and the application tries to reference that invalid address again. Once we control this behavior with a properly written exploit code, we can successfully use the vulnerability to our advantage to achieve arbitrary code execution. Please refer to the below image for a better understanding of the concepts mentioned above.

However, to successfully achieve arbitrary code exection using heap spray, there is one important things that we need to keep in mind. That is, as per the Windows Memory Layout, address higher than 0x7FFFFFFF falls in the KERNEL ADDRESS SPACE and address lower than 0x7FFFFFFF falls in the USER ADDRESS SPACE. The address of a program heap falls within this USER ADDRESS SPACE i.e the address is less than 0x7FFFFFFF. So during the overwriting of the heap and the invalid memory address, we must keep in mind that we are overwriting memory addresses that fall within the USER ADDRESS SPACE, not the KERNEL ADDRESS SPACE. If we write in memory locations that belong to the KERNEL ADDRESS SPACE, there will be a system crash.

New Sysinternals Tool - Disk2vhd

A new Sysinternals tool, Disk2vhd, was released yesterday by Mark Russinovich and Bryce Cogswell.

Disk2vhd is a utility that creates VHD (Virtual Hard Disk - Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that’s online. Disk2vhd uses Windows’ Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes you want to include in a conversion. You can even have Disk2vhd create the VHDs on local volumes, even ones being converted (though performance is better when the VHD is on a disk different than ones being converted).

You can download Disk2vhd from the Sysinternals website. Please refer to the link mentioned at the bottom of this post.

Some screenshots of Disk2vhd

Read more from the Sysinternals site (link provided below).

http://technet.microsoft.com/en-us/sysinternals/ee656415.aspx

Cheers Mark!!, once again you gave us an amazing tool.

Microsoft Security Articles (Sep14-Sep20)

Article Topics & Links:

Microsoft Information Security Tools Team  Website | RSS Feed
Anti-XSS Library v3.1 Released!  - 17-Sep-2009
Introducing the Connected Information Security Framework and Risk Tracker  - 16-Sep-2009
Want to Develop Software Security Tools?  - 16-Sep-2009
Want to Shape Great Security Tools ?  - 15-Sep-2009
CISF Security Portal Architecture  - 15-Sep-2009
Automating Windows Firewall settings with C# (part 2)  - 14-Sep-2009
Microsoft Malware Protection Center  Website | RSS Feed
The modern rogue - a timely subject  - 18-Sep-2009
I can’t go back to yesterday - see you in Geneva  - 16-Sep-2009
September in Geneva  - 15-Sep-2009
MSRC Ecosystem Strategy  Website | RSS Feed
Announcing BlueHat v9: Through the Looking Glass  - 14-Sep-2009
Security Bulletins Advisories  Website | RSS Feed
Microsoft Security Advisory (975497): Vulnerabilities in SMB Could Allow Remote Code Execution - 9/17/2009  - 17-Sep-2009
Security Bulletins Comprehensive  Website | RSS Feed
Microsoft Security Advisory (975497): Vulnerabilities in SMB Could Allow Remote Code Execution  - 17-Sep-2009
MS09-047 - Critical: Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812) - Version:1.1  - 16-Sep-2009
Security Vulnerability Research and Defense  Website | RSS Feed
Update on the SMB vulnerability situation  - 18-Sep-2009
OffVis updated, Office file format training video created  - 14-Sep-2009
The Security Development Lifecycle  Website | RSS Feed
Two New Security Tools for your SDL tool belt (Bonus: a “7-easy-steps” whitepaper)  - 16-Sep-2009

Source: Microsoft Blogs