As many of you may have noticed, there have been many changes to the site; and many more to come.

We are currently undergoing a reorganization of the site. It has been decided to consolidate much of the site. What that means, is we will be closing down both the Blog and the Wiki. Most of the content contained in the Blog and Wiki will be moving to the main site. A permanent redirect via the htaccess for the Blog and Wiki subdomains will be put in place to redirect that traffic to the new address for that content; including redirecting the Blog and Wiki main pages to the MalwareTeks main site.

This will be accomplished slowly and over the next year. It is very time consuming to move content, as it has to be recreated in it’s new location before redirecting traffic from the old page to the new page. Two reasons are driving this decision: 1) Maintenance. Currently the site uses 4 different content systems that power all the various parts of MalwareTeks. Dropping the Blog and Wiki content systems and consolidating it under the main site content system will free time. 2) Traffic. Dropping the Blog and Wiki and moving the content to the main site will drive that traffic to the MalwareTeks main site. Which, is where we want people coming to in any case.

All new posts can be found at http://www.malwareteks.com/

Thank you for your understanding and patience,
ShadowPuterDude

Embedded video from CNN Video

Adobe Flash Player 10.0.22.87

National Cyber Alert System
Technical Cyber Security Alert TA09-051A

Adobe Acrobat and Reader Vulnerability

Original release date: February 20, 2009
Last revised: –
Source: US-CERT

Systems Affected

• Adobe Reader version 9 and earlier
• Adobe Acrobat (Professional, 3D, and Standard) version 9 and earlier

Overview

Adobe has released Security Bulletin APSB09-01, which describes a vulnerability that affects Adobe Reader and Acrobat. This vulnerability could allow a remote attacker to execute arbitrary code.

I. Description

Adobe Security Bulletin APSB09-01 describes a memory-corruption vulnerability that affects Adobe Reader and Acrobat. Further details are available in Vulnerability Note VU#905281.

An attacker could exploit these vulnerabilities by convincing a user to load a specially crafted Adobe Portable Document Format (PDF) file. Acrobat integrates with popular web browsers, and visiting a website is usually sufficient to cause Acrobat to load PDF content.

II. Impact

An attacker may be able to execute arbitrary code.

III. Solution

Disable JavaScript in Adobe Reader and Acrobat

Disabling Javascript may prevent some exploits from resulting in code execution. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript).

Prevent Internet Explorer from automatically opening PDF documents

The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00

Disable the display of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser will partially mitigate this vulnerability. If this workaround is applied it may also mitigate future vulnerabilities.

To prevent PDF documents from automatically being opened in a web browser, do the following:

1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the preferences option.
4. Choose the Internet section.
5. Un-check the “Display PDF in browser” check box.

Do not access PDF documents from untrusted sources

Do not open unfamiliar or unexpected PDF documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip ST04-010.

IV. References

• Adobe Security Bulletin apsa09-01 – <http://www.adobe.com/support/security/advisories/apsa09-01.html>
• Securing Your Web Browser – <http://www.us-cert.gov/reading_room/securing_browser/>
• Vulnerability Note VU#905281 – <http://www.kb.cert.org/vuls/id/905281>

Feedback can be directed to US-CERT.

Mark Davis a member of the Cape Vincent Volunteer Fire Department, Cape Vincent, NY; Thousand Islands Emergency Rescue Service (TIERS), Clayton, NY; Guilfoyle Ambulance Service, Watertown, NY, was shot a killed late last night while responding to a emergency medial call in the Village of Cape Vincent.

Though I never got a chance to know him personally, I have responded to several calls that both of our departments were called out.

RIP Mark, my heart and prayers go out to the family and friends.

Related Items:
http://www.ti-rescue.org/
http://www.newzjunky.com/police/coplog090131sp2.htm
http://www.syracuse.com/news/index.ssf/2009/01/cape_vincent_emt_shot_a nd_kill_1.html
http://www.wwnytv.net/index.php/2009/01/31/breaking-news-emergency-wor ker-shot/

National Cyber Alert System

Technical Cyber Security Alert TA09-020A

Microsoft Windows Does Not Disable AutoRun Properly

Original release date: January 20, 2009
Last revised: January 21, 2009
Source: US-CERT

Systems Affected

• Microsoft Windows

Overview

Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft’s guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability.

I. Description

Microsoft Windows includes an AutoRun feature, which can automatically run code when removable devices are connected to the computer. AutoRun (and the closely related AutoPlay) can unexpectedly cause arbitrary code execution in the following situations:

1. A removable device is connected to a computer. This includes, but is not limited to, inserting a CD or DVD, connecting a USB or FireWire device, or mapping a network drive. This connection can result in code execution without any additional user interaction.



2. A user clicks the drive icon for a removable device in Windows Explorer. Rather than exploring the drive’s contents, this action can cause code execution.



3. The user selects an option from the AutoPlay dialog that is displayed when a removable device is connected.

Malicious software, such as W32.Downadup, is using AutoRun to spread. Disabling AutoRun, as specified in the CERT/CC Vulnerability Analysis blog, is an effective way of helping to prevent the spread of malicious code.

The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF “disables Autoplay on all types of drives.” Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.

II. Impact

By placing an Autorun.inf file on a device, an attacker may be able to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer.

III. Solution

Disable AutoRun in Microsoft Windows

To effectively disable AutoRun in Microsoft Windows, import the following registry value:

Code

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

To import this value, perform the following steps:

1. Copy the text
2. Paste the text into Windows Notepad
3. Save the file as autorun.reg
4. Navigate to the file location
5. Double-click the file to import it into the Windows registry

Microsoft Windows can also cache the AutoRun information from mounted devices in the MountPoints2 registry key. We recommend restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\MountPoints2

Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take. Further details are available in the CERT/CC Vulnerability Analysis blog. Thanks to Nick Brown and Emin Atac for providing the workaround.

Update:

Microsoft has provided support document KB953252, which describes how to correct the problem of NoDriveTypeAutoRun registry value enforcement. After the update is installed, Windows will obey the NoDriveTypeAutorun registry value. Note that this fix has been released via Microsoft Update to Windows Vista and Server 2008 systems as part of the MS08-038 Security Bulletin. Windows 2000, XP, and Server 2003 users must install the update manually. Our testing has shown that installing this update and setting the NoDriveTypeAutoRun registry value to 0xFF will disable AutoRun as well as the workaround described above.

IV. References

• The Dangers of Windows AutoRun – <http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun .html>
• US-CERT Vulnerability Note VU#889747 – <http://www.kb.cert.org/vuls/id/889747>
• Nick Browns blog: Memory stick worms – <http://nick.brown.free.fr/blog/2007/10/memory-stick-worms>
• TR08-004 Disabling Autorun – <http://www.publicsafety.gc.ca/prg/em/ccirc/2008/tr08-004-eng.aspx>
• How to correct disable Autorun registry key encforcement in Windows – <http://support.microsoft.com/kb/953252>
• Microsoft Security Bulletin MS08-038 – <http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx>
• How to Enable or Disable Automatically Running CD-ROMs – <http://support.microsoft.com/kb/155217>
• NoDriveTypeAutoRun – <http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/r egentry/91525.mspx>
• Autorun.inf Entries – <http://msdn.microsoft.com/en-us/library/bb776823(VS.85).aspx>
• W32.Downadup – <http://www.symantec.com/security_response/writeup.jsp?docid=2008-1122 03-2408-99>
• MS08-067 Worm, Downadup/Conflicker – <http://www.f-secure.com/weblog/archives/00001576.html>
• Social Engineering Autoplay and Windows 7 – <http://www.f-secure.com/weblog/archives/00001586.html>

Today Microsoft has sent an email to it’s MVPs in an attempt to reach the greatest number of Windows users in the shortest possible time.

Based on feedback from MVPs  and other sources, we are concerned about the rise in reported infections due to the worm Win32/Conficker.B also known as “Downadup.”  Though systems which have already applied the out-of-band released MS08-067 in October 2008 are protected, unpatched system user have experienced system lockout and other problems.

Last week, we released a version of the Malicious Software Removal tool (MSRT) that can help remove variants of Win32/Conficker and other resources.  Please share this information in your communities to help address this threat.

Win32/Conficker.B exploits a vulnerability in the Windows Server service (SVCHOST.EXE) for Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows 2008. While Microsoft addressed this issue in October with Microsoft Security Bulletin MS08-067, and Forefront antivirus and OneCare (as well as other vendor’s anti-virus products) helped protect against infections, many systems that have not been patched manually through Server Update Services and Microsoft/Windows Update or through Automatic Updates have recently come under attack by this worm.  Attacked systems may lock out users, disable our update services and block access to security-related Web sites:

In response to this threat, Microsoft has:

• Updated the January version of the MSRT to detect and remove variants of Win32/Conficker.B.  You can download this version from the MSRT from either the Microsoft Update site or through its associated Knowledge Base article.
• Created the KB article 962007 “Virus alert about the Win32/Conficker.B worm” to provide public details on the symptoms and removal methods available to address this issue.
• Announced the release of the items and the virus threat itself on the Microsoft Malware Protection Center blog.

It is our hope that these resources can assist you in resolving issues with unpatched, infected systems and that you can apply MS08-067 to any other unpatched systems as soon as possible to avoid this threat.

Microsoft links:
MS08-067
Malicious Software Removal tool
History: Win32/Conficker.B

The online security forum CastleCops has ceased operations after more than 5 years of support to malware victims through out the world. Going to the site today, http://www.castlecops.com/, I was meet with this page:

Greetings Folks,

You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created.

With respect to the server marathon, by March 17 2009 CastleCops will refund contributions made through PayPal that were specifically designated for servers. Unfortunately, server donations made via check cannot be returned because we do not have the addresses for the donating entity. Unless instructed otherwise, CastleCops will re-allocate these funds as a donation to the Internet Systems Consortium (ISC.org). This organization sponsored our hosting environment for approximately the past 2 years. Please contact us [cc at laudanski dot com] before March 17, 2009, if you would like a return of your server marathon donation. Otherwise, we would like to thank the ISC for their unfettered support.

We thank everyone in creating our unique footprint and memories in time.

Love, Best Wishes and Happy Holidays, CastleCops
PST 23 Dec 2008

CastleCops was home to many unique communities that aided in the fight against the spread of malware software and sites. Communities such as the Malware Incident Response Team, Phishing Incident Response Team, and the Malware Digest. CastleCops was at the forefront of the battle for quite some time, and many of the malware removal experts could be found hanging out at CastleCops at any givien time of the day or night. CastleCops has been a victim of numerous DDoS attacks over the past 2 years; and with Paul and Robin Laudanski having transfered ownership of CastleCops, after Paul took a job with MicroSoft, in steady decline.

CastleCops will be missed.

Before proceeding with these removal instructions you will want to download all tools and print the instructions.

Download to your desktop FixIEDef

If you are connected via a router, download the User’s Guide for your router if you don’t have one on-hand.

Now disconnect your computer from the router and power off your router.  Next on the underside of the router should be a little red reset button that is slightly recessed.  Press and hold the reset button for a least 10 seconds.  This is going to reset the router to factory defaults.

Run FixIEDef (Instructions for use can be found at the FixIEDef Webpage)

Now let’s reset the DNS Settings for your computer:

1. Click Windows menu go to Start > Run (if you’re using Vista the search box).
2. Type “cmd”. (This will open the command console).
3. Type the following commands, exactly as shown, pressing the enter key after each command:
ipconfig /release
ipconfig /renew
exit

The command console will exit after the last command is entered.

Now reboot your computer.

Reconnect the router to the computer, turn it on and configure your router. This is where you need the User’s Guide for your router.

If for some reason this does not work, start a thread in the Malware Removal Forum, you must be a registered member of the site to post in the forums.