New critical Security Bulletin MS08-067

Yesterday Microsoft published an extraordinary security bulletin called MS08-067. This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution and it is exploited by sending a specially crafted RPC (like Sasser, Blaster) request to a vulnerable system. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems (even Windows 7 Pre-Beta), an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

This vulnerability is rated as critical for Windows 2000, Windows XP, Windows Server 2003 and as important for Windows Vista and Windows Server 2008.

We have already seen the first Trojan that has been sent out using this vulnerability, we detect is as Trj/Gimmiv.A. The Trojan itself is not using the vulnerability to spread, but someone is infecting systems with it using the vulnerability.

We strongly recommend you to update you system as soon as possible.  

Rogue mistakes!

As we have mentioned recently, the distribution of rogue antimalware programs has increased considerably and they have become a very widespread threat, even reaching Trojans, which have been leading the most active type of malware during these last years.

For example, today, more that 75% of the adware-type malware detected by our technicians have been this type of fake AV programs.

In the following image you can see a collage of different websites and interfaces belonging to several rogue antimalware programs:

Everyday we detect different variants of these programs and new websites from which they can be downloaded. All the fake programs have different names, interfaces, features… Taking into account the high number of different programs created, it’s easy that from time to time cybercrooks make mistakes. As you can see in the image below, the copy/paste technique doesn’t work properly:

  

 

Microsoft Updates for October

Eleven new security bulletins have been published (from MS08-056 to MS08-066) as part of the usual launch of Microsoft Updates.

We recommend you to update your system as soon as possible, as according to Microsoft's classification four of the bulletins are rated as "critical", six as "important", and one is rated as "moderate".

You can find more information about those security bulletins by clicking the following links:

• MS08-056: Vulnerability in Microsoft Office Could Allow Information Disclosure.
• MS08-057: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution.
• MS08-058: Cumulative Security Update for Internet Explorer.
• MS08-059: Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution.
• MS08-060: Vulnerability in Active Directory Could Allow Remote Code Execution.
• MS08-061: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege.
• MS08-062: Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution.
• MS08-063: Vulnerability in SMB Could Allow Remote Code Execution.
• MS08-064: Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege.
• MS08-065: Vulnerability in Message Queuing Could Allow Remote Code Execution.
• MS08-066: Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege.

 

Who Wants to Be a Millionaire?

During the last months I’ve been asked the same question almost every day: why are there so many rogueware infections? We have already published some data in the blog, as well as in the 2008 Q3 Report. The number of infections are somehow relevant:

As you can see, Adware is the top one, and this is due to the rogueware detections, included in the Adware category. With all the sensors we have now in the new products, which are connected to the Collective Intelligence, and due to this wave of infections I wanted to know if the feeling I had was real or not. From the 1st of June 2008 until yesterday, we have received reports from more than 2 million different computers. Even though our user base is much higher, I have only taken the data from products using the connection to the cloud and that have agreed to share information, which means that most of them are users of our free online scanner ActiveScan.

The next query was easy: how many computers out of these 2 millions have detected rogueware? About 70,000 different computers. That makes about a 3% of those 2 million computers.

How can we translate this to the whole world? We can extrapolate this information; even though this is not 100% accurate, it can throw some light on this issue. According to Forrester, there are about 1 billion computers (US billions, one thousand million for non US readers). That would make 30 million rogueware infected computers (3%.)

Then we have Gartner, which said that about a 3.30% of people is losing money due to phishing, so these are people that are actually sending their banking information to the phishers. Rogueware is much more agressive than phishing, but as we do not know how many users are being fooled to buy that "software" to get rid of fake infections, let's say that only that 3.30% of the people is paying. That would mean almost 1 million users buying rogueware (only in 4 months and 2 weeks!)

The price of each rogueware application varies, but let's say that 50€ is the average price. These are not difficult maths:

50€ * 1,000,000 = 50,000,000 € (US$ 69,000,000)

Ok, they are not earning this money at once, this is in 4 months and 2 weeks… so that means more than 11,000,000€ (US$ 15,000,000) per month.

So… Who Wants to Be a Millionaire?

Microsoft Security Center recommends you…

… this is part of a fake message used by a new rogue antivirus in a screensaver where users are warned that their system is infected and they need to update it with a fake Antivirus. PandaLabs has detected it as Adware/RogueAntivirus2010.

Besides, some weeks ago PandaLabs detected a previous version of this program called Adware/RogueAntivirus2009.

Taking into account the high activity of this type of applications, we wouldn't be surprised to see a new rogue called Adware/RogueAntivirus2011 in the next weeks. 

Here you can see different images of the screensaver displayed by RogueAntivirus2010:

We have prepared a video where you can see the full screensaver used by this rogue antivirus to deceive users. Click here to watch it.

Thanks to Oscar Anduiza for the sample.

Back from VB2008

We returned from Virus Bulletin 2008 last Saturday. It has been a very exciting week, great presentations and better beer :-). Ottawa is really wonderful
This year has been the first time I've done a presentation in a big conference like VB. I have to say that I was nervous :-), however it has been a great experience that I'll try to repeat.

If you couldn't go you can download the slides:

 

VB2008 has allowed us to publish the entire paper. Enjoy it ( Copyright is held by Virus Bulletin Ltd.; made available on this site for personal use free of charge by permission of Virus Bulletin. This work may not be reproduced or redistributed without express permission from the copyright holder.)

Quarterly Report July-September 2008

We have just released the Q3 Monthly report PandaLabs.

So, It’s time to see what has happened in the last three months. You can download it in English or in Spanish.

Enjoy it!

VB 2008 – Ottawa

We are having a really great time at VB2008 in Ottawa. Some of the talks are extremely interesting, but the best is to catch up with all the guys in the industry so we can share information, ideas, and some beers meantime 😉

Yesterday's presentation on the rise of the MBR rootkits was one of the best of the day. Today it's being even much better, starting with our blogger Ismael Briones, who has just finished his presentation, about classifying malware using graphs, entropy and grid computing :

 

After lunch there are some last minute presentations that look great, covering different fields, as testing, banking Trojans, rogueware, etc. Tomorrow it will end so I'm going back to the conference room as I don't want to lose a single minute!