Does milk curdle when you place it next to your PC when it's firing up? You may have a rootkit, and VeriSign security outfit iDefense, has tipped us the wink about a nasty rootkit which appears to active in the wild, which could takeover PCs and form the basis of a fairly pervasive botnet.

The rootkit, works its evil by infecting user systems after they’ve visited a website hosting a malicious IFrame. IFrame’s are HTML tags which allow website coding meisters to embed other HTML documents, like advertisements, inside the main document. On having a shufty at what visitors may think is a normal website, the rootkit infects the master boot record (MBR).

Currently iDefense say the following exploits can be used to infect users systems: all Microsoft OS-based: JVM ByteVerify (MS03-011), MDAC (MS06-014), Internet Explorer Vector Markup Language (MS06-055) and XML CoreServices (MS06-071). However there’s no reason why other un-patched OS bugs couldn’t in future be used or other application vulnerabilities.

Once this rootkit is on your system, since it loads before Windows loads it can hide from Windows and other security tools that run under Windows. You’re therefore reliant on your anti-virus vendor package being able to detect the rootkit and remove it. There may be a better option though, if you use tools like Acronis True Image to create a backup of your entire system. True Image also backs up the MBR - and because True Image boots from CD before Windows loads, the rootkit doesn’t get a chance to execute and do its thang.

So if you think that you may have a rootkit, you can flatten the infected MBR (see picture) and continue merrily on your way. There are other tools out there, and Windows OS CDs have also got options to write a new MBR to your system, although I suspect these were put there originally to repair non-bootable Windows systems.

The trick is - knowing that you have an infected MBR – which seems like a hard call to make, unless you are at one with your PC in a yogic type of way.

Posted by Dave Bailey on January 14, 2008 | Permalink | Comments (0)

Looking after sick children can be unrewarding in that you’re offering waiter service - but without the tips. Anybody watching the latest Shrek episode, ‘Shrek the Third’, on DVD, and I have been subjected to it – about 20 times, will know that a future release from DreamWorks will be ‘Kung Fu Panda’ starring Angelina Jolie, Dustin Hoffman, Ian Macshane, Jack Black, and Jackie Chan. OK, it’s a pretty weak lead-in to a blog on Panda’s Internet Security 2008 package, but that’s the best link I could find!

Panda’s Internet Security 2008 (IS 2008) is identical to the corporate package and differs only in how it’s deployed and managed. Differentiators in the market for products like these are the signature databases along with the heuristic engines designed to discover malware for which signatures are not yet available.

In fact a few days ago, some security software firms banded together to form the AntiMalware Testing Taskforce. The core group includes AV-Test, F-Secure, Kaspersky, Panda and Symantec, with other firms like Checkpoint, PC Tools, Sunbelt and Virus Bulletin supporting the testing methodology. This group will define a new test methodology based on behavioural analysis. More security companies have been invited to join next January, the objective being to design a testing plan to reflect competing products capabilities.

Panda IS 2008 is a powerful system, but for home users the set up and activation which involves client number, username and password and activation code could confuse slightly. There are also a fair number of levels for users to be configured to get the best out of the system as well. That said, when all is set up, it offers a lot of functionality. Anti-phishing, anti-virus, anti-spam, anti-spyware, data backup, parental control and many more. I'll be giving a further update on Panda IS 2008 in the new year.

Remember the original TV series of Kung Fu starring David Carradine? Here’s a quote from the original pilot, courtesy of from Master Kan, teacher of Carridine’s character, Kwai Chang Caine : "From the crane we learn grace and self-control. The snake teaches us suppleness and rhythmic endurance. The praying mantis teaches us speed and patience. And from the tiger, tenacity. And from the dragon we learn to ride the wind."

The Chinese new year begins on 7 February and it’s the year of the rat, so watch out for those phishers and spammers next year.

But what of the Panda - well, "Learn well the ways of the Panda, that it may protect your system on the eternal quest for knowledge on the Internet."

Posted by Dave Bailey on December 21, 2007 | Permalink | Comments (0)

Any security company worth their salt has been bombarding companies looking at the situation vis-à-vis Her Majesty’s Revenue and Customs (HMRC) and wondering about their security procedures and technology.

In the Labs we’ve just set up a system from log data management and compliance vendor LogLogic, which looks tailor made to address problems like those currently putting HMRC in the spotlight. We have a LogLogic LX 2010 appliance which is collecting and collating log event data from our numerous systems. This then passes them on to an ST 3010 appliance which archives the logs and creates a searchable data archive, which should make it easy for system admins and even tech journalists to spot and alert on policy breaches. Like for instance, somebody copying a database and putting it un-encrypted onto a CD and ‘protecting’ said data with just a password.

I presume LogLogic marketing managers will be quietly confident that their systems might get an extra boost from the shenanighans currently plaguing public sector IT. We’ll put putting out a full review of the system, hopefully before Santa sets Rudolph out on his one year mission to disappoint your kids.

Posted by Dave Bailey on November 29, 2007 | Permalink | Comments (0)

A bit ironic that the first major corporation to be nailed to the wall on a compliance issue in the UK, will be Her Majesty's Revenue and Customs. Well, they won't be 'nailed' will they – too embarrassing for the Government. Just an enquiry which will finally report years down the line, with the Government saying that the system has changed and there's new safeguards in

Let's forget about the security arrangements around the database for a minute and try and think what type of database is being used? Is it a proper database, with proper record fields or are there some flat text files in there which are used as pseudo-records. Is it the case that HMRC can't run proper queries against their database, i.e.

BEGIN

for all the data

          get just the Name and NI number record fields;
          write that data;

END.

OK they'd use a dedicated query language, but you get the idea. Plus, how come a 25 million unique record database can fit on 2CDs? If we give everybody 100 bytes of ascii, that's 2.5GB – a bit more than 2CDs. Compression? No doubt the inquiry will sort all this out and then we can move to that National ID Database secure in the knowledge that it couldn't possibly happen again.

Posted by Dave Bailey on November 22, 2007 | Permalink | Comments (0)

How about this for a revelation - leading open source security vendor Sourcefire have said that they sorted out the Microsoft animated cursor flaw ages ago. This flaw activates even if you just visit a compromised website using Internet Explorer, causes your PC to persistently reboot and could allow remote access for hackers and eventually, zombification of your system.

In fact Sourcefire's vulnerability research team (VRT) have known about this problem for over two years, and actually "created a rule that was added to the VRT Certified Ruleset on January 17, 2005. Sourcefire VRT Certified Ruleset users have been protected against exploits targeting this vulnerability for more than 700 days." The Snort intrusion prevention system uses these rules, so if your firm uses Snort, it would have been a case of "Animated cursors? No problemo".

The flaw was eventually sorted by an out-of-cycle emergency patch (MS07-017) by Microsoft, announced through Security Advisory 935423 on 29 March. I did apply the patch as soon as it became available, although luckily I wasn't running some of the third party apps that the patch broke. Funnily enough, I did get the email promising me nude pictures of Paris Hilton and Jenna Jameson the next day. Had I decided in the interests of journalism to click on this link, any animated cursors would have drawn animated curses from me, since this could have eventually led to the Iffy-b Trojan getting onto my system.

Did Sourcefire inform Microsoft of this flaw? If they did, then are the people who've been knobbled by this exploit legally entitled to sue Microsoft? Well, let's leave that to our old 'friends', the lawyers.

Posted by Dave Bailey on April 19, 2007 | Permalink | Comments (1)

Ever had that feeling that something’s just not quite right with your system? If you were a Star Wars Jedi Knight, you might feel maybe a twinge in ‘The Force’ when you logged onto your computer, sufficient to alert you that a malware process or processes unknown may be running.

However, us non-Jedis usually have to use anti-malware software to uncover worms and their associated processes squirming and slithering around our systems. One way of checking is to fire up the Windows Task Manager, write down all the process names currently loaded, and then trawl through the Internet eliminating them one by one. Sound too much like hard work? It is, but there are programs out there that can do a lot of the legwork for you.

One such package is Security Task Manager (STM) from Neuber Software. The trial version is free and quickly displays all the Windows and other processes running on your system. A quick look can show you all the software updaters, ActiveX ‘helper’ programs and other junk that was probably set up to run by default when you installed the programs many moons ago.

In fact over 60% of the processes you see on this screenshot of a test system don’t need to be running. OK, knocking them all out might not save a massive amount of CPU-time, but at least it makes sure they don’t pop up at inconvenient times. I got hold of a fully licensed copy, which also lets you see all the services and drivers loaded on your system as well. STM lets you remove or quarantine problem processes or even ask Google.com about them.

A single user license costs $29 or around £15 if you convert. Is it worth it? I’d say yes and I’ll be using it a lot over the coming months.

The STM screenshots were made using another free utility, Wisdom Software’s ScreenHunter. This is a neat program which can be used to screenshot user-defined areas of your screen in real time or using a timer. The paid for upgrade looks to have many more useful functions.

Posted by Dave Bailey on April 2, 2007 | Permalink | Comments (0)

BitLocker does work, it seems.

My queries to Dell about BitLocker and their OptiPlex 745 corporate desktop paid off, and the company this week sent me a tool to upgrade the Bios firmware of the system.

The upgrade itself is a single executable file that lets you upgrade the Bios from within Windows. This is a welcome relief – the last time I had to patch the Bios of a computer, it involved booting from a system disk, then issuing a series of arcane command line instructions. Just as well – our OptiPlex review unit did not come with a floppy disk to boot from.

I held my breath anxiously while the Dell utility re-booted the computer and applied the update, before re-starting Windows.

Next, I faced another hurdle. BitLocker requires an extra disk partition of at least 1.5GB capacity, and although I had carefully set this up, Windows constantly threw up an error message stating that the disk configuration was incorrect.

It looked like there was nothing for it but to start the Vista install from scratch. Fortunately, this is not too onerous a task. Booting from the Vista DVD and bypassing the install takes you to a menu of recovery options, from where you can access a command line and the DISKPART storage configuration tool.

Following instructions from Microsoft's TechNet site, I created a small disk partition and set it as active, then created a larger partition filling the rest of the drive's free space. The latter is where Windows gets installed.

Once Vista had been re-installed onto the hard drive, it was just a question of turning on BitLocker. This gives you the option to store a recovery password on a USB Flash drive in case recovery of the data is needed later. I had previously activated the OptiPlex's TPM and set a password.

Encrypting the C: drive took well over an hour, but  I was able to continue using the system while this was happening. Once finished, the system does not seem to suffer any noticeable performance degradation from having the main Windows disk entirely encrypted.

However, these are the key things that IT managers thinking of deploying BitLocker should keep in mind; Firstly, even brand new corporate PCs may need a Bios update in order to support Microsoft's disk encryption tool. Secondly, the system needs to be fully prepared before Vista is installed. In many cases, it will probably be best to specify that the PC vendor or system integrator configures the disk ready for BitLocker before delivery.

Posted by Daniel Robinson on November 10, 2006 | Permalink | Comments (1)

Premium versions of Microsoft's Windows Vista, such as the volume-license Enterprise edition, are set to include the BitLocker disk encryption tool when Vista becomes available.

Another proviso for using this is that systems must have a Trusted Platform Module (TPM), a chip on the motherboard that can securely store and generate encryption keys.

As part of recent tests for a review of Dell's OptiPlex 745 desktop, I installed Windows Vista RC2 to see how it performed. The OptiPlex also includes a TPM, so it seemed like a good opportunity to try out BitLocker.

The first obstacle to tackle was that Dell ships its systems with the TPM disabled by default, so I had to access the Bios setup and enable the chip. This is a two-part process on the OptiPlex; first you have to turn 'TPM Security' on, and then use a second menu option to activate the TPM.

Perhaps foolishly, I thought that Vista might then guide me through the rest of the process. I found the BitLocker option in the Security section of the Windows Control Panel and opened it, to be greeted with a message that helpfully stated 'Your system is not configured to use BitLocker drive encryption'.

Following a little background research, I returned to the system and sought out the new TPM Services module in the Microsoft Management Console. This has facilities to let you initialise a TPM and take ownership, which basically means setting a password to control the TPM. Windows can automatically create a strong password for you and save it to a file on a USB Flash disk, which I duly did.

Sadly, trying BitLocker again simply resulted in a message stating that the Bios was not correctly communicating with the TPM, and recommending that I contact the manufacturer to get an upgrade. Requests to Dell for help have so far not elicited any response, so BitLocker tests will have to wait for another day.

Posted by Daniel Robinson on November 2, 2006 | Permalink | Comments (1)

More information about a possible recent worm attack on servers running Windows NT4 suggests the problem could be more severe than first thought. Several security experts have confirmed a worm is circulating that is capable of attacking systems running Windows NT4. The same worm can also attack other versions of Windows, but while Microsoft has published a free patch for the currently supported versions of Windows, it has not released a free patch to firms using Windows NT4. 

Some observers talk down the risk to NT4 systems by arguing that very few firms still use Windows NT4. However, it seems there are still a significant number of NT4 systems in use today, and some of those are used for Internet facing applications, such as web servers.

For example, Netlink is an Internet solutions vendor with a web site that runs on Windows NT4. A Netlink spokesman said, "We still use NT4 and provide NT4 support to customers, but each server has its own firewall blocking what isn't covered by patches. We also work with Windows 2000, but we don't use any of the activation/deactivation enabled versions of Windows because we believe that you can't allow a vendor that much control over your business systems."

A researcher at Netlink contacted security researchers on the Full Disclosure mailing list about a possible worm attack against NT4 servers last Wednesday [30 Aug]. The researcher, called Geo, cited a report by the Sans Internet Storm Center indicating a spike in port scans on TCP port 139 as evidence of increased hacker activity that could be related to a known flaw in Windows NT4. In an exclusive interview with IT Week, Geo said that although the Sans data is not tied specifically to NT4, there is still cause for concern. Geo said, "The Sans data includes all versions of all operating systems, but the spike started at about the same time that we started getting calls about NT4 systems being infected so it's pretty clearly NT4 systems or at least an NT4 capable version of the worm that's causing the spike". 

Other Full Disclosure members confirmed there is a worm capable of attacking servers running Windows NT4, Windows 2000 and Windows Server 2003. However, Geo said most Windows 2000 and Windows Server 2003 systems are now patched against this flaw, but few of the NT4 systems are patched as Microsoft charges high support fees for NT4 systems because Microsoft considers NT4 systems to be past the end of their supportable life. However, Geo said Microsoft none-the-less sells support and patches for NT4 to firms that are willing to pay.

The worm appears to attack the Netbios subsystem present in Windows servers. However, Geo said disabling Netbios does not protect servers from the worm. "We've found that unbinding Netbios in NT4 will not protect you, you need a firewall to prevent exposure to the worm."

Posted by Roger Howorth on August 31, 2006 | Permalink | Comments (0)

We have now contacted the researcher that raised the original NT4 worm warning on the Full Disclosure security mailing list. Called Geo, the researcher said, "I know of six [NT4] systems infected so far. Two of them were not firewalled, and a third was but the third allowed access from the first two so it got infected through them. Another two had firewalls but allowed access from the third machine." I have no idea how the 6^th system was configured, Geo added.

However, Paul Vlissidis, head of penetration testing at security specialist NCC Group, said the Sans data could be caused by something other than an NT4 worm. "The increase in port 139 activity shown by Sans could be down to the release of a metasploit framework plug-in [hacker tool] for MS 06-040 which has then been picked up by botnet authors and herders. The most recent worms that seem to use this are W32.Wargbot and Randex.GEL." However, Vlissidis said they are other worms targeting this port, and although there is no sign at the moment of a wave of attacks he warned against complacency.

Click here for more information about metasploit framework plug-ins.

Posted by Roger Howorth on August 31, 2006 | Permalink | Comments (0)