Windows and Mac users urged to update Safari

Apple has released version 4.0.5 of its Safari browser, fixing a number of issues with its browser for Windows and Mac OS X including – most importantly – a grand total of 16 security vulnerabilities.

 

If you dilly-dally over updating your computer, it’s possible that hackers could exploit the security bugs – including some that could mean that simply visiting a webpage with a maliciously crafted image could lead to malicious code being automatically run on your computer.

 

Interestingly, one of the bugs (CVE-2009-2285) fixed in Safari 4.0.5 was announced and patched in Mac OS X 10.6.2 back in December 2009, and in Mac OS X 10.5 since January, meaning that Windows users of Safari have been vulnerable for over two months to the way their browser handles booby-trapped TIFF images.

 

But it doesn’t matter whether you own a Mac or PC, if you run Safari the message is clear: It’s time to update your browser and ensure that you are protected against hackers exploiting the security holes detailed in the security advisory on Apple’s website.

 

Safari users should practise safe computing, and update their systems as soon as possible.

 

By Graham Cluley, Sophos

 

 

Energizer DUO USB battery charger software allows unauthorized remote system access

 

Overview

The software available for the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access.

 

 

I. Description

Energizer DUO is a USB battery charger. An optional Windows application that allows the user to view the battery charging status has been available on the Energizer website. The installer for the Energizer DUO software places the file UsbCharger.dll in the application’s directory and Arucer.dll in the Windows system32 directory. When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component for providing USB communication capabilities. UsbCharger.dll executes Arucer.dll via the Windows rundll32.exe mechanism, and it also configures Arucer.dll to execute automatically when Windows starts by creating an entry in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.

 

Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. Note that Windows XP SP2 and later systems include a firewall by default. Upon running the Energizer UsbCharger software for the first time, a dialog similar to the following is displayed:

If the user selects “Unblock,” then the system will be at risk. Also note that if the application is unblocked, this will cause Windows to add rundll32.exe to the Windows Firewall exceptions list. This means that any DLL that is executed through the rundll32.exe mechanism will be excluded from the Windows Firewall, regardless of the DLL or port used.

 

The backdoor capabilities include the ability to list directories, send and receive files, and execute programs. The hash information for the file is:
MD5: 1070be3e60a1868d2cd62fc90d76c861
SHA1: d102b1d2538d8771be85403272e5a22a4b3f81ad

The file details for Arucer.dll are:

--a-- W32i   DLL CHS         1.0.0.1 shp     28,672 05-10-2007 arucer.dll
Language        0x0804 (Chinese (PRC))
CharSet         0x04b0 Unicode
OleSelfRegister Disabled
CompanyName
FileDescription Arucer DLL
InternalName    Arucer
OriginalFilenam Arucer.DLL
ProductName     Arucer Dynamic Link Library
ProductVersion  1, 0, 0, 1
FileVersion     1, 0, 0, 1
LegalCopyright  ???? (C) 2006
LegalTrademarks

VS_FIXEDFILEINFO:
Signature:      feef04bd
Struc Ver:      00010000
FileVer:        00010000:00000001 (1.0:0.1)
ProdVer:        00010000:00000001 (1.0:0.1)
FlagMask:       0000003f
Flags:          00000000
OS:             00000004 Win32
FileType:       00000002 Dll
SubType:        00000000
FileDate:       00000000:00000000

 

II. Impact

An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user.

 

 

III. Solution

Remove the Energizer UsbCharger software

Removing the Energizer UsbCharger software will also remove the registry value that causes the backdoor to execute automatically when Windows starts. The Arucer.dll file will remain in the system32 directory, but the mechanisms for executing the code in the DLL will not be present.

 

Remove the Arucer.dll file

The backdoor component of the Energizer UsbCharger software can be removed by deleting the Arucer.dll file from the Windows system32 directory. Because the backdoor hosted by rundll32.exe continues to run after the software has been uninstalled, the Windows may need to be restarted before this file can be removed.

 

Remove “Run DLL as an App” exclusion from the Windows Firewall

If the user unblocks Run DLL as an App (rundll32.exe) from the Windows Firewall, the exclusion will remain after the Energizer UsbCharger software has been uninstalled. To restore the firewall to the previous state, the “Run a DLL as an App” entry should be removed from the exclusions list.

 

Block or restrict network access

Blocking access to 7777/tcp can mitigate this vulnerability by preventing network connectivity to the backdoor. This may be achieved with network perimeter devices or host-based software firewalls. The Energizer UsbCharger software does not automatically add an exception to the Windows Firewall for 7777/tcp or the backdoor application. Therefore, the first time that Energizer UsbCharger is executed, the user will be prompted that “Run a DLL as an APP” has been blocked by the Windows Firewall.

 

The following Snort rules can be used to detect network traffic related to this backdoor:

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer Command Execution"; flow:established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; classtype:trojan-activity; sid:1000004; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer DIR Listing"; flow:established; content:"|C2 E5 E5 E5 9E D5 D4 D2 D1 A1 D7 A3 A6 C8 D2 A6 A7 D3 C8 D1 84 D7 D7 C8 DD D2 A6 D2 C8 D2 A7 A7 D2 D7 A4 D6 D7 A3 D4 DC A3 98 E5|"; classtype:trojan-activity; sid:1000005; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer WRITE FILE command"; flow: established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; classtype:trojan-activity; sid:1000006; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer READ FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A3 D3 A6 D1 D6 A0 D4 A4 C8 D4 D0 D0 D4 C8 D1 D5 D5 D5 C8 A4 D1 DD D6 C8 A6 D6 D3 D4 DC D3 DC A4 A0 A6 D1 D4 98 E5|"; classtype:trojan-activity; sid:1000007; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer NOP Command"; flow:established; content:"|C2 E5 E5 E5 9E D2 DD D6 A0 A4 A6 A7 A3 C8 A0 A3 DD A7 C8 D1 DC DD 80 C8 A4 D5 D0 DC C8 A3 D5 A7 D0 A7 A1 D4 D7 D3 D1 D4 A0 98 E5|"; classtype:trojan-activity; sid:1000008; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer FIND FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 A4 D2 A4 D7 A0 A7 D2 C8 D4 A0 D1 DC C8 D1 81 D0 83 C8 A7 D1 A1 DD C8 A1 D3 D3 D1 D0 A7 D2 D1 D1 D5 A0 D6 98 E5|"; classtype:trojan-activity; sid:1000009; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer YES Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; classtype:trojan-activity; sid:1000010; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer ADD RUN ONCE Command"; flow:established; content:"|C2 E5 E5 E5 9E D6 DD D1 A0 A7 A0 D7 A6 C8 A3 DC A0 A4 C8 D1 83 D3 87 C8 DC D1 A0 A3 C8 A6 DC A1 D7 A1 A4 D0 DD A3 A1 D4 D6 98 E5|"; classtype:trojan-activity; sid:1000011; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer DEL FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E D1 A3 D1 A3 D5 A1 DD DD C8 A0 D2 D4 D0 C8 D1 87 D4 83 C8 A7 D6 D4 D4 C8 D3 D4 A0 D0 D6 D5 A6 D7 A6 DD A3 A6 98 E5|"; classtype:trojan-activity; sid:1000012; rev:2;

 

Systems Affected

 

Source : www.kb.cert.org

 

 

Removal tool for Oficla.H!dll, Win32.Fregee.av (reader_s.exe, file1.exe) Trojan

 

Sample Submitted By Sven Berger

 

 

 

Read more

New ClamAV for Windows Powered By ( immunet and sourcefire )

 

The new ClamAV for Windows is the result of a partnership between Immunet Corporation (http://www.immunet.com) and Sourcefire, Inc. (http://www.sourcefire.com). It is designed to provide the ClamAV community with a free Windows-specific Anti-Virus (AV) solution using an advanced Cloud-based protection mechanism.  You can use ClamAV For Windows as a stand-alone, host-based AV solution, or in conjunction with your pre-installed AV solution to provide enhanced detection for the latest malware threats.

 

Say goodbye to the days of watching AV software drain your memory and processing speed. Immunet’s unique Cloud-based technologies allow the ClamAV application to leverage the power of the Cloud to drive the AV engine. When you use ClamAV for Windows, you save system resources for the tasks they really want to run, like games and business applications.

 

ClamAV for Windows utilizes advanced Cloud-based and community-based detection methods. Developed by Immunet, these detection methods leverage the computers of your friends, family and a worldwide global community to harness their collective knowledge for securing your PC. Every time someone in this collective community encounters a threat, everyone else in the community gains protection from that same threat in real time. You no longer have to rely on the isolated security of your current Anti-Virus vendor. You are able to protect your friends and family while being better protected yourself. This is exactly what we designed ClamAV for Windows to do. By providing a fast and light layer of virus detection, and linking everyone in a global community, we harness a security sum that is far greater than its individual parts, we call this Collective Immunity.

 

Immunet placed ClamAV into their Cloud infrastructure alongside their Ethos detection engine, and several other detection technologies.  By combining all these technologies, and utilizing the power of community-based detection, we feel we have the most effective Anti-Virus technology on the market. And it only gets better with every user that installs and utilizes our technology.

 

Download New ClamAV :

• ClamAV for Windows 32 bit
• ClamAV for Windows 64 bit

 

Minimum System Requirements

1. Windows XP SP2, Windows Vista SP1, Windows 7
2. A working Internet connection

Optional Requirements

1. A Facebook account
2. A Twitter account

 

 

Critical security update for Adobe Reader and Acrobat

Adobe has issued a security bulletin urging users of its Adobe PDF Reader and Acrobat products to update their software before hackers take advantage of two critical vulnerabilities.

 

Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh are vulnerable to a flaw that could be exploited by hackers to make unauthorised cross-domain requests. This same vulnerability was revealed in Adobe Flash Player last week.

 

Meanwhile, another flaw could give hackers an opportunity to inject malicious code onto computers via vulnerable installations of Reader and Acrobat.

 

As we’ve mentioned many times before, it’s essential that you keep your installations of Adobe’s software up-to-date as they are increasingly being taken advantage of by hackers to launch attacks.

 

Adobe recommends users of Adobe Reader 9.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.1 if possible. Similarly, Adobe Acrobat should be updated to version 9.3.1. It’s a shame, therefore, that Adobe’s Reader advisory makes such a bad job of linking to the right files.

 

For instance, the link it is giving for the Mac update actually links to a page full of Windows files:

 

Hopefully Adobe will sort that out soon, and make it clearer where users can download the right patches for their operating system from. I, for one, am still finding it difficult to locate Adobe Reader 9.3.1.

 

By Graham Cluley, Sophos

 

 

Fake Conflicker.B Infection Alert puts internet users at risk

The global network of spamtraps controlled by the experts inside SophosLabs are seeing a swarm of attacks today, posing as an email warning about the Conficker worm.

 

Here is a typical message that has been spammed out by hackers:

Subject: Conflicker.B Infection Alert
Attached file: open.zip

 

Message body:

 

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

 

Opening the file attached to the email (in this case it’s called open.zip) infects your computer with malware which Sophos detects as Mal/EncPk-KW.

 

The wording is nearly identical to a similar attack I blogged about last October.

 

What surprises me is that during the last few months the hackers behind the attack appear to have made no effort to fix mistakes in their disguise – for instance, it should say Conficker in the subject line not Conflicker!

 

I can only presume that they’re counting on their potential victims not spotting that typo. It certainly has not stopped the cybercriminals from sending out the infected messages en masse today. Presently this malicious spam campaign is one of the most commonly seen examples of file attachment malware being spread around the world:

 

By Graham Cluley, Sophos

 

Removal tool for Generic.Malware.SL!!M.807DC390 (mso.exe, usbflash.com) Keylogger

 

Submitted By Google Pnookle

 

 

- Sets the drive to autoplay by creating autorun.inf file in its root directory.

- Creates a startup registry entry.

 

Read more

Apply the Critical Security Updates for Internet Explorer Vulnerabilities (MS10-002 – Critical)

This cumulative security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. This security update is rated Critical for all supported releases of Internet Explorer.

 

Executive Summary

This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

 

This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8 (except Internet Explorer 6 for supported editions of Windows Server 2003). For Internet Explorer 6 for supported editions of Windows Server 2003 as listed, this update is rated Moderate.

 

The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates input parameters, and filters HTML attributes.

 

This security update also addresses the vulnerability first described in Microsoft Security Advisory 979352.

 

Recommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

 

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

 

[ Download MS10-002 ]

 

German Government: Don’t use Internet Explorer

The German government has advised computer users not to run Internet Explorer and run an alternative browser instead, because of a critical zero-day security flaw.

 

The advice, which came in the form of an official statement from the German Federal Office for Security in Information Technology (known as the Bundesamt für Sicherheit in der Informationstechnik or BSI) says that the as yet unpatched vulnerability is likely to be the same one blamed for hacker attacks on Google and other US companies last week.

 

The BSI advisory claims that although Microsoft’s advice to run Internet Explorer in ‘protected mode’ and disable Active Scripting makes it more difficult for hackers to attack, it does not completely prevent them.

Here is a rough translation (courtesy of Google Translate) of the BSI statement:

Critical vulnerability in Internet Explorer

BSI recommends the temporary use of an alternative browser
Bonn, 15.01.2010.

In Internet Explorer there exists a critical yet unknown vulnerability. The vulnerability allows attackers to inject malicious code via a specially crafted webpage into a Windows computer, in order to infiltrate and control computers. The past week has become known in the Hacker Attack on Google and other U.S. companies has probably exploited the vulnerability.

Affected are the versions 6, 7, and 8 of Internet Explorer on Windows XP, Vista and Windows 7. Microsoft has published a security advisory, in which it discusses ways of minimizing risk and is already working on a patch for the security hole. The BSI expects that this vulnerability will be used in a short time for attacks on the Internet.

Although running Internet Explorer in "protected mode" as well as disabling Acitve Scripting does make it more difficult to attack, it can not completely prevented. Therefore, the BSI recommends that users switch to an alternative browser while waiting for Microsoft's patch.

Once the vulnerability has been closed, the BSI on its warning and information service MayorCERT also informed. Keep informed about the civic-CERT and the BSI warns citizens and small and medium enterprises from viruses, worms and vulnerabilities in computer applications. The expert analysis of the BSI around the clock, the security situation in the Internet and send alerts when action is needed and safety information via E-mail.

 

The vulnerability means that a hacker could send you a message, perhaps pretending to be from a colleague or friend, and – if you clicked on a link in that email – your vulnerable installation of Internet Explorer would visit a malicious webpage infecting your Windows PC with a Trojan horse.

 

At that point the hackers could effectively grab control of your computer, with the potential of stealing company secrets, personal information or using it to spread spam or other attacks. The problem is that right now Microsoft doesn’t have a patch to fix their software.

 

Of course, the German government’s advice that internet users should switch to alternative browsers is unlikely to well received at Microsoft, and pressure is sure to grow on the company to release an “out-of-band” patch to resolve the security flaw as soon as possible.

 

With Google pointing the finger of blame for the attacks at China, it’s perhaps not surprising that the German government should be keen to ensure that its own computers (whether they be in government or industry) are not next in the firing line of hackers.

 

Alternative internet browsers such as Firefox, Safari and Opera have all suffered from security vulnerabilities in the past, of course.

 

You can read SophosLabs’s write-up on the Microsoft security flaw here, as well as further commentary by principal virus researcher Vanja Svajcer.

 

With all this talk about state-sponsored cyber-spying originating from China clearly spooking the German authorities, it’s perhaps a little ironic that the Germans themselves were accused of using the internet and malware to spy on another country a couple of years ago.

 

by Graham Cluley, Sophos

 

Boost PC Performance with Comodo System Cleaner‏

 

 

Picture a messy room. This room may be littered with trash but also contains your valued possessions. The goal is obvious: get rid of the trash without throwing away any valuables. Now imagine an ultra-powerful vacuum that will destroy anything in its path, never to be seen again. You might think twice about where to point this vacuum! Other system cleaners have the same problem as this vacuum: good stuff gets obliterated,the same as bad stuff. In an attempt to perform some much-needed system maintenance, you could wipe out files necessary to your PC’s performance! Comodo System Cleaner has made this problem obsolete. If CSC sucks in a valued possession, you can easily reach in and take it back out again. No harm done, and your computer keeps performing solidly.

 

Important Features of System Cleaner

Deep cleaning of your PC’s registry
After a deep registry cleaning, Windows will be able to access the information it needs from the registry more quickly, boosting both performance and stability.

 

 

Deep cleaning of your PC’s disk drive
Eliminate the clutter inevitably built up over time in your disk drive to free up space and improve performance.

 

 

Clean-up scheduling
Enter when you’d like System Cleaner to perform a deep clean so it’s convenient for you.

 

 

SafeDelete™ and Registry Protection
Use these features to backup all your files before cleaning. When cleaning is complete, you’ll be able to make sure your PC is in perfect condition before deleting for good.

 

 

Privacy cleaning
Clear out your digital trail (cookies, cache, browsing history, and more) with the privacy cleaner to keep your private information out of the hands of others.

 

 

Extensive Windows customization tool
Alter dozens of obscure and hard-to-find Windows settings easily within Comodo System Cleaner’s interface.

 

Download the Portable Version:

• Windows 7 / XP / Vista 32 bit (4.96 MB)
• Windows 7 / XP / Vista 64 bit (4.77 MB)

Next Page »