Warning--that cheerful e-mail greeting card notice could harbor a nasty payload.

Read more...

Thursday, June 28, 2007 9:59 AM PT Posted by Erik Larkin

Fake e-mails that appear to warn about an Outlook zero-day security threat but instead attempt to install malware are making the rounds, according to the Internet Storm Center.

According to an example in the ISC's post, the e-mails are personalized with at least the first name of the intended victim and appear to come from "Microsoft Corp update@microsoft.com." They read as such:

You are receiving this message because you are using Genuine Microsoft Software and your e-mail address has been subscribed to the Microsoft Windows Update mailing list.

A new 0-day vulnerability has appeared in the wild and was reported for the first time Monday, June 18th. The vulnerability affects machines running MICROSOFT OUTLOOK and allows an attacker to take full control of the vulnerable computer if the exploitation process is succesfull.

As with previous personalized attacks, this message is well-crafted compared to most attack e-mails. On a scan, I noticed two typos in the sample - "Outllok" instead of "Outlook," and "succesful" instead of "successful." But those are minor compared to the egregious grammatical errors that usually give away these spoofed messages.

A link in the e-mail that supposedly points to a Microsoft patch will instead download a Trojan onto your computer. We can expect to see more examples of these relatively well-engineered attacks, so be on your guard. The messages so far have gone back and forth between using attachments and download links to spread their payload.

Full Article

Source: FDIC.gov

Identity theft continues to be one of the fastest growing crimes in the United States, and has ranked as one of the top consumer concerns for the past several years. The Federal Deposit Insurance Corporation (FDIC) has produced a multimedia presentation to help consumers protect themselves from identity theft. The presentation provides information on steps consumers should take to secure their computer and protect themselves from identity theft, as well as actions consumers should take if they become a victim of identity theft. Financial institutions are encouraged to make the link available to their customers from their websites. This presentation is hosted by Vodium.

Don't Be an On-line Victim: How to Guard Against Internet Thieves and Electronic Scams .

Order your copy: Don't Be an On-line Victim" CD-ROM Online Order Form.

Macromedia Flash Player is required to view this presentation. The latest version of Macromedia Flash Player can be downloaded at www.macromedia.com/go/getflashplayer. Installation questions or troubleshooting help can be found at http://www.macromedia.com/support/flash/.

Full Article

The latest variant is dangerous because it's encrypted to hide from antivirus programs and uses a hard-to-squash peer-to-peer network.

By Sharon Gaudin
InformationWeek
Apr 13, 2007 06:05 AM

The virulent Storm worm that blasted its way across the Internet in January has reared its ugly head again.

A variant of the Storm worm hit hard in a widespread spam campaign on Thursday. The Internet Storm Center reported detecting at least 20,000 infections today. Patrick Martin, a senior product manager with the Security Response Team at Symantec, said they received several hundred reports of the malicious e-mail making the rounds.

"This is potentially a huge problem," said Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center. "It's basically impossible to shut this thing down.... And once a user is infected, it's very hard to get rid of it. They would probably have to reinstall their system."

The outbreak starts with a wide-ranging spam attack that is littering e-mail inboxes around the globe. The e-mail has subject lines like "Worm Alert," "Virus Alert," "Worm Activity Detected!" and "Dream of You." Some of the subject lines even use the word "love" or promise a patch for "new bug." Martin said the spam generator is changing the subject lines on a regular basis to throw off users and antivirus vendors.

Inside the e-mail is an image and an encrypted zip file. The image has the password needed to open the zip file.

Unlike the original Storm malware, which was hidden in an executable file, this one is hidden in the encrypted zip file. Ullrich explained in an interview that means it's much more difficult for antivirus software to detect the malicious code. If they can't detect it, they can't stop it.

If a user opens the file, his machine is infected with the malware and it then connects to a peer-to-peer network where it can upload data, including personal information from the infected computer, according to researchers at Postini, who noted that the new Storm variant drove Thursday's virus level to 60 times the average. It also can download additional malware onto the infected system.

The infected computer then becomes a zombie machine on a botnet, which can be used to send spam and launch other attacks. The malware also searches the computer's hard drive for e-mail addresses and replicates itself by sending e-mails to them.

The fact that infected computers connect through a peer-to-peer system and not to a standalone server or even a node makes it extremely hard to shut down, according to Ullrich.

"We traditionally can shut down the IRC server or whatever controls it," he explained. "But with this, there is no single server or node to shut down. To deal with this, you'd have to shut down those 20,000 infected hosts. We would have to walk up to every single one of them and pull the plug."

Ullrich added that it's frustrating that this type of attack, which depends on users opening an attachment from an unknown sender, still works ... and works so well. "It's user stupidity, and that's the thing there is no patch for."

Full Story