Infected Word files spreading malware on MACS

Weaponized Word files targeting Macs have been identified by AlienVault Labs, which says the malware is coming from the same Chinese group that has been targeting the Tibetan government and nongovernmental organizations.

The Word files seem to exploit an existing vulnerability and target Microsoft Office for Mac. “This is one of the few times that we have seen a malicious Office file used to deliver malware on Mac OS X”, AlienVault Labs noted in a blog.

“A remote code execution vulnerability exists in the way that Microsoft Office Word handles a specially crafted Word file that includes a malformed record. An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights”, the blog explained.

The command and control domain for the malware is located in Beijing province on China Unicom’s network, according to the blog.

AlienVault Labs had earlier found that the same group was behind recent spear phishing attacks on the Central Tibetan Administration and other Tibetan groups, as well as the Nitro attacks targeting chemical and defense firms last year.

Exploiting Remote Desktop Code Leaked...Are you using RDP?

NOTE: All "Worry-Free IT" customers using RDP have been patched against this bug/exploit.


Microsoft on Friday confirmed that sample attack code created by the company had likely leaked to hackers from a program it runs with antivirus vendors.

"Details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protection Program (MAPP) partners," Yunsun Wee, a director with Microsoft's Trustworthy Computing group, said in a statement posted on the company's site.

"Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements," Wee added.

Under MAPP, Microsoft provides select antivirus companies with technical information about bugs before Microsoft patches the flaws. MAPP is meant to give third-party security vendors advance warning so that they can craft detection signatures.

Among the things Microsoft shares with MAPP members, according to a program FAQ, are "proof-of-concept or repro tools that further illuminate the issue and help with additional protection enhancement."

The Friday acknowledgment by Microsoft was prompted by claims earlier in the day by Luigi Auriemma, the Italian researcher who reported the vulnerability in Windows Remote Desktop Protocol (RDP) in May 2011.

Auriemma said that code found in a proof-of-concept exploit on a Chinese website was identical to what he had provided HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program. His code was then used by ZDI to create a working exploit as part of the bounty program's bug verification work.

ZDI then passed along information about the RDP vulnerability, including the exploit that used Auriemma's code, to Microsoft.

According to Auriemma, the public exploit included the string "MSRC11678," a reference to a Microsoft Security Response Center (MSRC) case number, indicating that the leak came from Microsoft.

ZDI denied it had been the source of the leak. "We're 100% confident that the leak didn't come from us, and Microsoft is comfortable with us saying that," Aaron Portnoy, the leader of TippingPoint's security research team and the had of ZDI, said in an interview Friday.

Portnoy also described the chain of custody of Auriemma's code -- a specially-constructed data packet that triggers the RDP vulnerability -- from its May 2011 submission to ZDI to its inclusion in the concept exploit that ZDI provided Microsoft in August 2011 as part of a broader analysis of the vulnerability.

The proof-of-concept exploit now circulating among hackers does not allow remote code execution -- necessary to compromise a PC or server, and then plant malware on the system -- but instead crashes a vulnerable machine, said Portnoy. The result: The classic Windows "Blue Screen of Death."

Portnoy also echoed what Microsoft's Wee said of the similarity between the public exploit and Auriemma's code. "We can confirm that the executable [exploit] does have a packet that was part of what Luigi gave us," said Portnoy.

Microsoft launched MAPP in 2008. The program has 79 security firm partners, including AVG, Cisco, Kaspersky, McAfee, Trend Micro and Symantec, as well as several Chinese antivirus companies. A full list of MAPP members can be found on this Microsoft Web page.

On Friday, Wee did not say whether Microsoft had a list of suspects, but noted that all information it passes to MAPP partners was under a "a strict Non-Disclosure Agreement (NDA)." If the leak did originate with a MAPP partner, it would be the first ever for the program.

Microsoft's MS12-020 update patches the RDP bug, and can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Get Ready to Add a “Y” at The End of The Internet Service Provider Acronym (ISPY)

By Bill Klump | @TheKlumper | March 17th, 2012

During a panel discussion at a recent Association of American Publishers’ meeting featuring Cary Sherman, CEO and Chairman of  the Recording Industry Association of America (RIAA) and Fritz Attaway, Executive Vice President of the Motion Picture Association of America (MPAA), Sherman made news when he mentioned July 1 as the date of the rollout by major U.S.-based ISPs—including AT&T, Cablevision, Comcast, Verizon and Time Warner Cable—of a “graduated response” program that has been on the drawing board for several years and in active development for over a year.

Graduated Response refers to a process whereby ISPs send customers a series of notifications regarding their alleged illegal downloading of copyrighted content that increase from simple warnings to more severe forms of interdiction, including bandwidth reduction, protocol blocking and, in worst-case scenarios, account suspension.

If Sherman is correct about the start date for Graduated Response in the United States, it will be a big victory and a significant development for the music and movies industries, which have been working and lobbying for years to get similar laws or agreements in place in other countries, sometimes with the direct and controversial help of the U.S. government.

In New Zealand, for instance, released Wikileak documents showed that pressure from the U.S. was instrumental in getting a ‘three strikes” bill passed last year that faced fierce opposition when it was first proposed in 2009. The law is considered one of the strictest ever conceived in terms of potential penalties faced by consumers, including monetary fines of up to $15,000 ($12,000) to be paid to copyright owner and internet account suspensions for up to six months if the fines are found to be ineffective.

“The unnerving part,” commented Zero Paid at the time, “is the fact that this will no doubt encourage multi-national corporations to pursue such laws in other countries.”

In the United States, the multi-nationals, under the umbrella of the MIAA and RIAA, have indeed been very active trying to get bills such as SOPA and PROTECT IP passed into law, but the world is well aware how that turned out. The deals carved out with the major ISPs, on the other hand, even if they were accomplished with the help of the White House, required no vote by Congress, making them all but impervious to challenge other than by way of potential legal claims brought by aggrieved competitors or customers if the ISPs and their new partners in piracy detection fail to implement the new identification and notification regime unfairly.

According to an interview with Sherman conducted by Ars Technica’s Nate Anderson three years ago, when the music industry decided to end its lawsuit campaign against end-users suspected of digital piracy in favor of the Graduated Response partnership that was just being forged with the ISPs, the heavy lifting identifying alleged infringers will be done by the RIAA (and, presumably, the MPAA), which will then “pass that information on to ISPs, who will notify (and eventually sanction) users without turning personal information over to the music industry.”

At the time, it was envisioned that alleged infringers would be given three strikes, but the current plan calls for five strikes before actual sanctions, which reportedly will vary from ISP to ISP, will kick in. “Each ISP has to develop their infrastructure for automating the system, [and] for establishing the database so they can keep track of repeat infringers, so they know that this is the first notice or the third notice,” Sherman told CNET following the panel discussion. “Every ISP has to do it differently depending on the architecture of its particular network. Some are nearing completion and others are a little further from completion.”

CBET also reported, “Participating ISPs can choose from a list of penalties, or what the RIAA calls ‘mitigation measures,’ which include throttling down the customer’s connection speed and suspending Web access until the subscriber agrees to stop pirating. The ISPs can waive the mitigation measure if they choose and not one of the service providers has agreed to permanently terminate service.”

According to Digital Trends, the start date of Graduated Response may have been announced, but its launch will only signal the beginning of the next phase in the years-long struggle to find a balance between users and creators of digital content.

“While the RIAA, MPAA, and even the White House support this measure, many questions still remain,” wrote Andrew Couts. ” For instance, what about customers that get internet access from smaller providers? Will those companies be pressured into jumping on the Hollywood bandwagon? Moreover, given the staunch public opposition to governmental efforts to impose restrictions on the internet, how will people react if they lose their connection altogether? Our prediction: Dark days are ahead.”


Experts sound worm alarm for critical Windows bug

Worry-Free IT Customers have been patched against this RDP exploit! What is Worry-Free IT? Become a customer now! Reno IT Systems Management Service


Microsoft today released six security updates that patched seven vulnerabilities, including a critical Windows bug that hackers will certainly try to exploit with a network worm, according to researchers.

"This is a pre-authentication, remote code bug," said Andrew Storms, director of security operations at nCircle Security, referring to MS12-020, the one critical bulletin today and the update that he, other researchers and even Microsoft urged users to patch as soon as possible.

"It will allow network execution without any authentication, and has all the ingredients for a class worm," said Storms.

"I'm particular spooked by this one," said Jason Miller, manager of research and development at VMware. "Hackers want [vulnerabilities] that don't require authentication and are in a part of Windows that's widely used. I guarantee that attackers are going to look at this closely."

MS12-020 patches a pair of bugs in Windows' Remote Desktop Protocol (RDP), a component that lets users remotely access a PC or server. RDP is frequently used by corporate help desks, off-site users and IT administrators to manage servers at company data centers and those the enterprise farms out to cloud-based service providers like Amazon and Microsoft.

The critical vulnerability, dubbed CVE-2012-0002, could be exploited by an attacker who simply sends specially-crafted data packets to a system with RDP enabled, said Microsoft.

"Absolutely, this will be very attractive to hackers," said Amol Sarwate, manager of Qualys' vulnerability research lab, echoing Storms and Miller. "It doesn't look like it's that complicated to come up with the code sequence [to trigger the bug]."

Microsoft raised all its usual flags, and more, for MS12-020, tagging it with an exploitability index rating of "1," meaning it expects reliable exploits to appear within 30 days, and ranking the update as the one to patch before all others.

In a post to the company's Security Research & Defense (SRD) blog, Suha Can and Jonathan Ness, a pair of Microsoft engineers, went even further. "[We] strongly encourage you to make a special priority of applying this particular update," said Can and Ness.

Ideally, customers will quickly apply the patch, but Microsoft also offered a temporary workaround.

The workaround, which Microsoft automated using its Fix-it support tool, adds another layer of security by requiring Network Level Authentication, or NLA, to force authentication before an RDP session begins. The Fix-it tool applies to Windows Vista, Windows 7, Server 2008 and Server 2008 R2.

Windows XP and Server 2003, however, do not support NLA; for the former, Microsoft's released an additional Fix-it tool that adds NLA support to Windows XP Service Pack 3 (SP3) desktops and laptops.

Links to the Fix-it tools can be found on the SRD blog.

Several researchers applauded Microsoft's workarounds, in large part because unlike the patch, they don't require a system reboot, which may make server administrators skittish about applying MS12-020 itself.

"NLA a really good option," said Wolfgang Kandek, chief technology officer at Qualys. He and others expect that many Microsoft customers will enable NLA first, then later patch the vulnerability by deploying MS12-020.

"It's going to be enough to mitigate the first wave of attacks," argued Storms, of enabling NLA.

Storms and Miller agreed that that first wave will be, as Miller put it, a "scattershot" style attack where hackers use search engines and port sniffing to find as many RDP-enabled machines as possible. Later, targeted attacks aimed at administrators' PCs -- which they use to remotely manage their companies' data servers -- or those launched from bots already inside a network, seem likely.

Microsoft downplayed the threat to some degree, saying both in the MS12-020 bulletin and in the SRD blog that RDP was not turned on by default in any supported version of Windows.

Miller thought that was misleading. "I'm a little concerned that Microsoft is implying that RDP is not commonly used," said Miller. "It's used by server administrators and help desks.... It's a really good technology ... and enabled on a lot of corporate networks."

Storms pitched in as well.

"RDP is the way to remotely manage your servers," said Storms. "Let's be honest, it's enabled more often than not, and [switched on] on virtually every server."

"It's unfair to say it's not really widely used," added Miller. "I use it to connect to 40 to 50 machines a day in my job."

Because of what the experts said was the wide use of RDP, they thought Microsoft underplayed the severity of the vulnerability. "They're making a call to action, but without raising too many red flags," said Storms. "They're trying to get across [that this is significant] without saying it's doomsday."

Kandek wished Microsoft had a deployment priority higher than "1," the ranking the company assigned MS12-020. "This is more a '1+,'" Kandek said.

The biggest unknown is how fast hackers will figure out how to exploit the vulnerability, and thus how quickly Windows users will face attacks.

Kandek, Miller, Storms and Sarwate couldn't agree on a timeline, but all thought that active exploits would be in circulation quickly.

And even if they're not, there have been threats that wreaked havoc weeks or months after a Microsoft patch.

"I don't want to compare this to Conficker," said Miller, talking about the worm that infected millions of Windows PCs in late 2008 and early 2009. "But that did its worst 30 days, 60 days after the patch [of the exploited bug]."

Miller had a point: Although Conficker first appeared just 11 days after an October 2008 emergency, or "out-of-cycle" update, it only gained traction in January 2009, and peaked with a media frenzy three months after that.

Microsoft also released three other updates for Windows, and one each for Visual Studio and Expression Design, but the experts said they were small potatoes compared to MS12-020.

"It's all about RDP today," said Storms. "Either enable NLA or install the patch ... today."

March's six security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Obama administration invoking privacy concerns to block FOIA requests

The Obama administration is increasingly invoking privacy concerns to block Freedom of Information Act (FOIA) requests by journalists.

The FOIA includes nine exemptions that agencies can use to block disclosure of information in response to a FOIA request. Last year, the most commonly invoked exemption invoked by the Defense and Homeland Security Departments, as well as the Federal Trade Commission and Federal Communications Commission, was the exemption to protect personal information that could affect an individual’s privacy, according to research by FierceGovernment.

In addition, the research found that federal agencies relied on exemptions 33% more frequently in 2010 than in 2008.

The FierceGovernment research would seemed to contradict a statement made by Attorney General Eric Holder this week that the administration is making “meaningful, measurable progress in improving the way our department – and its partners and counterparts – respond to disclosure requests”, unless progress means turning down more FOIA requests.

Holder said that his department “achieved a release rate of more than 94 percent of requests where records were processed for disclosure. And we released nearly 80 percent of these records in their entirety.”

The attorney general said that the FOIA request backlog was reduced by a quarter last year and the backlog of pending requests by more than 40%. In addition, his department last year launched, which displays statistics and serves as a resource for those who make FOIA requests.


This article is featured on InfoSecurity
Compliance and Policy  • Public Sector

Group retaliates against Panda Security for comments about arrests

Spanish security firm Panda Labs found its website hacked by a spinoff of notorious hacker group Anonymous -- a clear retaliation against the sweeping arrests and indictments of the LulzSec group, first reported on

The names and e-mail addresses of Panda Security employees were posted on the website late Tuesday, along with a video detailing some of the hacking highlights of LulzSec, PC World reported, and a rant ultimately stating the group planned to continue its exploits.

“Yeah, yeah, we know … Sabu snitched on us,” the note reads, a reference to LulzSec leader Hector Xavier Monsegur, who exclusively reported to have been collaborating with Federal officials for months in order to bring down the other members of the hacker collective.

Panda Security's website is back online, but the message is clear: The hacker group that calls itself "Antisec" plans to stand strong despite the arrests.

“To FBI and other s###s, come at us bros, we are waiting for you,” the message reads.

According to PC World, Luis Corrons, technical director for the security company's lab, was singled out by the hackers for praising the arrests in a blog post on Tuesday. The AntiSec hackers have previously accused Panda Security of aiding law enforcement.

Corrons wrote that Panda has not helped law enforcement find Lulzsec members in a note on Twitter-- though he would have liked to have helped.

"I would have loved to be involved in that.”

He also wrote that "We have our team taking a look into the defacement right now."

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed


US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles