Conficker Worm Targets Microsoft Windows Systems

US-CERT is aware of public reports indicating a widespread infection of the Conficker worm, which can infect a Microsoft Windows system from a thumb drive, a network share, or directly across the network if the host is not patched with MS08-067.

The presence of a Conficker infection may be detected if a user is unable to navigate to the following websites:

http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp+link_conficker_worm

http://www.mcafee.com

If a user is unable to reach either of these websites, the Conficker infection may be indicated (the most current variant of Conficker interferes with queries for these sites, preventing a user from visiting them). If a Conficker infection is suspected, the infected system should be removed from the network. Major anti-virus vendors and Microsoft have released several free tools that can verify the presence of a Conficker infection and remove the worm. Instructions for manually removing a Conficker infection from a system have been published by Microsoft in Knowledgebase Article 962007.

US-CERT encourages users to prevent a Conficker infection by ensuring all systems have the MS08-067 patch (part of Security Update KB958644, which was published by Microsoft in October 2008), disabling AutoRun functionality (see US-CERT Technical Cyber Security Alert TA09-020A), and maintaining up-to-date antivirus software.

US-CERT will provide additional information as it becomes available.

Sun Releases Updates for Java SE
added March 26, 2009 at 08:54 am

Sun has released updates for Java SE to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or operate with escalated privileges.

US-CERT encourages users to review the Sun Java SE 6 Update Release Notes and upgrade to Java SE version 1.6.0_13 to help mitigate the risks.

Source: US-CERT
As part of the Microsoft Security Bulletin Summary for March 2009, Microsoft released updates to address vulnerabilities that affect Microsoft Windows and Windows Server.

A remote, unauthenticated attacker could gain elevated privileges, poison the DNS cache, execute arbitrary code, or cause a vulnerable application to crash.

Solution

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for March 2009. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).

(NAPS) — Hackers and spammers may be using your computer right now. They invade secretly and hide software to get access to the information on your computer, including your e-mail program. Once on your computer, they can spy on your Internet surfing, steal your personal information and use your computer to send spam to other computers without your knowledge.

Computers taken over this way often become part of a robot network, known as a “botnet” for short. A botnet, also known as a “zombie army,” is made up of tens or hundreds of thousands of home computers sending e-mails by the millions. Fortunately, botnets are not inevitable.

You can protect yourself from botnets, hackers and spam. To help you reduce your chances of becoming part of a bot, the Federal Trade Commission encourages you to secure your computer by:
• Using anti-virus and anti-spyware software and keeping it up to date.
• Being cautious about opening attachments or downloading files from e-mails you receive.
• Using a firewall to protect your computer from hacking attacks while it is connected to the Internet.
• Disconnecting from the Internet when you are away from your computer.
• Checking your “sent items” file or “outgoing” mailbox for messages you did not intend to send.

To learn more, visit OnGuardOnline.gov/botnet.html.

US-CERT is aware of public reports of malicious code circulating via spam email messages related to bogus terror attacks in the recipient’s local area. These messages use subject lines implying that a fatal bomb attack has occurred near the recipient and contain a link to “breaking news.” Users who click on the link will be taken to a site posing as a Reuters news article that contains a bogus news story about the fatal bomb attack. The systems serving the bogus news story check a visiting user’s IP address to obtain a geographical location to insert a nearby placename into the bogus article. The articles also contain links to video content, claiming that the latest Flash Player is required to view the video. If users attempt to update or install the Flash Player from the link provided in the article, their systems may become infected with malicious code.

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:

Install antivirus software, and keep the virus signatures up to date.
Do not follow unsolicited links and do not open unsolicited email messages.
Use caution when visiting untrusted websites.
Use caution when downloading and installing applications.
Obtain software applications and updates directly from the vendor’s website.
Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

US-CERT is aware of reports of economic stimulus scams circulating. These scams are being conducted through both email and malicious websites.

Some of the email scam messages request personal information, which can then be used for identity theft. Other email scam messages offer to deposit the stimulus funds directly into users’ bank accounts. If users provide their banking information, the attackers may be able to withdraw funds from the users’ accounts.

The website scams entice users by claiming that they can help them get money from the stimulus fund. These websites typically request payment for their services. If users provide their credit card information, the attackers running the malicious sites may make unauthorized charges to the card, or charge users more than the agreed upon terms.

US-CERT encourages users to do the following to help mitigate the risks:

Review the Federal Trade Commission alert about economic stimulus scams.
Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Mozilla Foundation has released Firefox 3.0.7 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or spoof the location bar. The Mozilla Foundation Security Advisories also indicate that these vulnerabilities affect Thunderbird and SeaMonkey.

US-CERT encourages users to review the following Mozilla Foundation Security Advisories and update to Firefox 3.0.7 to help mitigate the risks.

Next World Cyber-security Contest Launched by FIRST, CERT Coordination Center

Pittsburgh, PA, February, 25 2009 – The second international competition honoring best practices and advances in safeguarding the security of computer systems and networks was announced today by FIRST (the Forum of Incident Response and Security Teams) and the Carnegie Mellon Software Engineering Institute CERT Coordination Center (CERT/CC).

And once again, the purpose is not just to reward practitioners for excellence in the security field, but to provide new utilities that will help make the cyber world a safer place.

The winners will be announced at the 21st Annual FIRST Conference, June 28 – July 3, 2009, at the Hotel Granvia, Kyoto Station, Kyoto, Japan.

The theme for this year’s best practices contest is “Detect,” reflecting the second phase of a computer security incident response team’s cycle of activity: protect, detect, respond, and sustain. The inaugural awards in 2008 focused on the “Protect” phase.

Jeffrey Carpenter, technical lead for CERT/CC’s incident response team, said the purpose of the awards from the two organizations is to honor experts worldwide who have developed best practices to prevent cyber attacks or mitigate attacks that are unfolding.

“Front line security experts who work diligently to protect their organizations and mitigate attacks are under-recognized for their work,” Carpenter explained. “This competition offers them the opportunity to be recognized and honored by their peers worldwide.”

Peter Allor, FIRST Steering Committee member and conference liaison, said: “This exercise is in line with our mission to develop and share technical information, tools, methodologies, processes and best practices in order to promote a safer and more secure global electronic environment.

“We thank CERT/CC for sponsoring this competition to advance and reinforce our mutual goals.”

Any working group, team, organization or individual who has developed a best practice is eligible to enter the competition. Top prize is $5,000, and the runner-up will receive $2,500.

Last year’s winners under the banner “Protect” were TWNCERT, Chinese Taipei, and KrCERT/CC from the Republic of Korea, who investigated respectively the reasons that malicious internet attacks succeed and the most likely sources of spam. Both teams’ pioneering work was made freely available on the web to further the cause of internet security.

Submissions for this year’s awards must be received no later than Thursday, April 30, 2009, at 23:59 U.S. Eastern Daylight Time (UTC-4), which is 03:59 G.M.T. (Friday May 1, 2009).

Submissions must encompass the “Detect” theme. FIRST and CERT/CC define detect actions as information about potential incidents, vulnerabilities, or other computer security or incident management information that is gathered either reactively (received from internal or external sources in the form of reports or notifications) or proactively (monitoring indicators of possible incidents or the exploitation of vulnerabilities through mechanisms such as network monitoring or IDS).

“In each case we are looking for the most innovative strategies and solutions that can be translated swiftly into worldwide best practice to reduce global security threats,” said Carpenter “So as well as honoring excellence, this is a competition designed to have a pragmatic and truly useful outcome throughout the worldwide cyber community.”

FIRST’s 2009 conference, which has as its theme recovery from disaster, and the lessons and crafts that can be learned from the processes of recovery, is already drawing key international players from the world of cyber security to speak and participate.

For further information and to submit papers to the Best Practice Competition, go to: http://www.first.org/global/practices or email first-2009bp@first.org. For further information about, and to register to attend the FIRST Kyoto conference, go to http://conference.first.org/
About FIRST

The worldwide Forum of Incident Response and Security Teams is a nonprofit organization that leads the world’s fight-back against cyber-crime, sabotage and terrorism, and consists of the Internet emergency response teams from some 200 corporations, government bodies, universities and other institutions from across the Americas, Asia, Europe and Oceania. For more information, visit www.first.org.
About Software Engineering Institute CERT/CC
The Software Engineering Institute (SEI) is a U.S. Department of Defense federally funded research and development center operated by Carnegie Mellon University. The SEI helps organizations make measured improvements in their software engineering capabilities by providing technical leadership to advance the practice of software engineering. The CERT Coordination Center (CERT/CC) is part of the larger SEI CERT Program and serves as a center of enterprise and network security research, analysis, and training within the SEI. For more information, visit the CERT Web site at www.cert.org and the SEI Web site at www.sei.cmu.edu.

US-CERT is aware of public reports concerning a new variant of the Conficker/Downadup worm, named Conficker B++. This variant propagates itself via multiple methods, including exploitation of the previously patched vulnerability addressed in MS08-067, password guessing, and the infection of removable media. Most significantly, Conficker B++ implements a new backdoor with “auto-update” functionality, allowing machines compromised by the new variant to have additional malicious code installed on them. According to Microsoft, there is no indication that systems infected with previous variants of Conficker can automatically be re-infected with the B++ variant.

US-CERT strongly encourages users to review Microsoft Security Bulletin MS08-067 and update unpatched systems as soon as possible.

Additionally, US-CERT recommends that users take the following preventative measures to help mitigate the security risks:

* Install antivirus software, and keep the virus signatures up to date.
* Review the Microsoft Malware Protection Center blog entry for details regarding the worm.
* Review the Using Caution with USB Drives Cyber Security Tip for more information on protecting removable media.

National Cyber Alert System
Technical Cyber Security Alert TA09-051A

Systems Affected

* Adobe Reader version 9 and earlier
* Adobe Acrobat (Professional, 3D, and Standard) version 9 and earlier

Overview

Adobe has released Security Bulletin APSB09-01, which describes a vulnerability that affects Adobe Reader and Acrobat. This vulnerability could allow a remote attacker to execute arbitrary code.

I. Description

Adobe Security Bulletin APSB09-01 describes a memory-corruption vulnerability that affects Adobe Reader and Acrobat. Further details are available in Vulnerability Note VU#905281.

An attacker could exploit these vulnerabilities by convincing a user to load a specially crafted Adobe Portable Document Format (PDF) file. Acrobat integrates with popular web browsers, and visiting a website is usually sufficient to cause Acrobat to load PDF content.

II. Impact

An attacker may be able to execute arbitrary code.

III. Solution

Disable JavaScript in Adobe Reader and Acrobat

Disabling Javascript may prevent some exploits from resulting in code execution. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript).

Prevent Internet Explorer from automatically opening PDF documents

The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\AcroExch.Document.7]
“EditFlags”=hex:00,00,00,00

Disable the display of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser will partially mitigate this vulnerability. If this workaround is applied it may also mitigate future vulnerabilities.

To prevent PDF documents from automatically being opened in a web browser, do the following:

1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the preferences option.
4. Choose the Internet section.
5. Un-check the “Display PDF in browser” check box.

Do not access PDF documents from untrusted sources

Do not open unfamiliar or unexpected PDF documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip ST04-010.