Germans spot Chinese spy attacks

Germany joined a group of at least four other countries that have been targeted by hackers apparently located in China, according to a media report published on Monday.

The report, which came in this week's edition of Der Spiegel, fingered the world's largest nation as the source of Internet attacks which have stolen sensitive data from German government ministries. The article described the hallmarks of targeted Trojan-horse programs that have previously attacked -- and likely continue to attack -- companies and government agencies in Australia, Canada, the United Kingdom and the United States, according to computer-security experts.

http://www.securityfocus.com/brief/577

Double Whammy! Another Sony Case (And it's Not BioShock)

QUOTE:
Biometrics – yes. BioShock – no.

Hypothetical: Imagine that you visit your local mall and browse around for stuff to buy. And you decide to buy a new CD from your favorite artist and you also buy a brand new cool USB stick thingy on an impulse. You go home and stick the CD into your laptop's CD drive. It prompts you to install some software. You do so and while you are listening to the music, you open the USB stick package and start experimenting with your new toy. It has a fingerprint reader so you install the software for that as well. Guess what… you might have just installed, not one, but two different rootkit-like software on your laptop.

We received a report that our F-Secure DeepGuard HIPS system was warning about a USB stick software driver. The USB stick in question has a built-in fingerprint reader. The case seemed unusual so we ordered a couple of USB sticks with fingerprint authentication. We installed the software on a test machine and were quite surprised to see that after installation our F-Secure BlackLight rootkit detector was reporting hidden files on the system.

http://www.f-secure.com/weblog/archives/archive-082007.html#00001263

Vista Validation Issue Fixed

Quote:

We've been receiving reports on our forum and through customer service starting last night that Windows Vista validations have been failing on genuine systems. It looks now as though the issue has been resolved and validations are being processed successfully.

Customers who received an incorrect validation response can fix their system by revalidating on our site (http://www.microsoft.com/genuine). We encourage anyone who received a validation failure since Friday evening to do this now. After successfully revalidating any affected system should be rebooted to ensure the genuine-only features are restored.

http://blogs.msdn.com/wga/archive/2007/08/25/validation-issue-fix.aspx

Vista Validation 0xC004C4A5 Errors

PLEASE READ (Or read the latest post for resolution steps)

http://forums.microsoft.com/Genuine/ShowPost.aspx?PostID=2054756&SiteID=25

Validation issues - Microsoft is having WGA server problems

Users of valid copies of Microsoft Vista ran into problems when trying to update their Vista installations.

Read more about it here.

RogueRemover DataBase Version 147 (8/16/07)

[Added]
VideoAccessCodec, Video iCodec

[Updated]
Rogue.Infector, Rogue.Misc, virusProtectPro, Video ActiveX Access

[Removed]
No applications were delisted.

[Notes]
RogueRemover Free and RogueRemover PRO now targets 371 rogue programs.
RogueRemover PRO now immunizes against 2970 rogue sites

http://www.malwarebytes.org/rogueremoverpro.php

The RogueRemover database is now available to be browsed at:
http://www.malwarebytes.org/rogueremoverpro_database_history.php

Posted at Forum:
http://www.malwarebytes.org/forums/index.php?s=&showtopic=1096&view=findpost&p=7735

Note: Please update via the program updater

MPack: Getting More Dangerous

In our previous alert we discussed ‘What is Mpack and how it works’. We had reviewed MPack version 0.84 in our previous blog. This time we will compare it with an updated version, MPack v 0.91.

1. The exploits include the existing ones present in v0.84. The list of exploits is present at the end of this blog.

2. There have been some changes to the management and reporting interface. A new file admin.php is introduced and stats.php has been removed.

The developers of the tool kit have provided admin.php for secure control and configuration of the Mpack installation. The Mpack owner can set username and password protection through settings.php.

http://www.symantec.com/enterprise/security_response/weblog/2007/08/mpack_getting_more_dangerous.html

Symantec, Intel work on microchip-level VM security

August 15, 2007 (Reuters) -- Symantec Corp and Intel Corp are jointly developing security products that could be built into tiny computer microprocessors, Symantec Vice President Rowan Trollope said on Tuesday.

The program, dubbed Project Hood, is part of an effort by both companies to expand their use of virtualization technology, or using software to replicate entire computer systems.

They are developing software security "appliances" that would work with virtualization technology that Intel is already incorporating into its computer chips, Trollope said.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9030767

Flash vulnerability reveals open ports

From http://scan.flashsec.org/:

Summary
Due to a design flaw in ActionScript 3 socket handling, compiled Flash movies are able to scan for open TCP ports on any host reachable from the host running the SWF, bypassing the Flash Player Security Sandbox Model and without the need to rebind DNS.

You can see a proof of concept at the site, and it's quite interesting to watch. This happens inside your firewalled network, just by browsing the internet.

http://sunbeltblog.blogspot.com/2007/08/flash-vulnerability-reveals-open-ports.html

Microsoft Security Bulletin Summary for August 2007

Published: August 14, 2007

6 Critical:

Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227)

Vulnerability in OLE Automation Could Allow Remote Code Execution (921503)

Vulnerability in Microsoft Excel Could Allow Remote Code Execution (940965)

Cumulative Security Update for Internet Explorer (937143)

Vulnerability in GDI Could Allow Remote Code Execution (938829)

Vulnerability in Vector Markup Language Could Allow Remote Code Execution (938127)


3 Important:

Vulnerability in Windows Media Player Could Allow Remote Code Execution (936782)

Vulnerabilities in Windows Gadgets Could Allow Remote Code Execution (938123)

Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986)


http://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx

Malwarebytes' Anti-Malware MBAM 0.67 Beta

Version 0.67 Beta (August 10th, 2007)

1. (FIXED) Improved erasing of arrays.
2. (FIXED) Improved expansion of variables.
3. (FIXED) Database support on Unicode systems.
4. (FIXED) Corrupted encryption of quarantine items.
5. (ADDED) Old version of database in update success screen.
6. (ADDED) Ability to enable/disable context menu.

Microsoft Internet Explorer 5.5 or higher.
250MHZ processor with at least 64mb of RAM.
Windows 2000, NT, XP, or Vista.
3MB of available free space on hard drive.
Internet access for updating definitions.

You must download the beta by going to the site below
http://www.malwarebytes.org/beta

Please use built in updater.
Post all bugs here.

Microsoft Security Bulletin Advance Notification for August 2007

This is an advance notification of nine security bulletins that Microsoft is intending to release on August 14, 2007.

Microsoft Security Bulletin Advance Notification issued: August 9, 2007
Microsoft Security Bulletins to be issued: August 14, 2007

http://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx

What to do before Patch Tuesday? at http://www.dozleng.com/updates/index.php?showtopic=9112

Microsoft will host a webcast to address customer questions on these bulletins on August 15, 2007, at 11:00 AM Pacific Time (US & Canada). Register now for the August Security Bulletin Webcast. After this date, this webcast is available on-demand. For more information, see Microsoft Security Bulletin Summaries and Webcasts.

Red Curtain

MANDIANT Red Curtain is software for Incident Responders that assists with the analysis of malware. MRC examines executable files (e.g., .exe, .dll, and so on) to determine how suspicious they are based on a set of criteria. It examines multiple aspects of an executable, looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat "score." This score can be used to identify whether a set of files is worthy of further investigation.

http://www.mandiant.com/mrc

Malwarebytes' Anti-Malware MBAM 0.66 Beta

Version 0.66 Beta (August 6th, 2007)

1. (FIXED) Problems with initial memory scan.
2. (FIXED) HKCU key expansion.
3. (FIXED) Problem with complex infections not being detected.
4. (FIXED) Problem with modules being confused as processes.
5. (FIXED) Improved overall stability and speed of entire application.
6. (ADDED) More details to log.
7. (REMOVED) Registry permission code, to buggy.

Microsoft Internet Explorer 5.5 or higher.
250MHZ processor with at least 64mb of RAM.
Windows 2000, NT, XP, or Vista.
3MB of available free space on hard drive.
Internet access for updating definitions.

You must download the beta by going to the site below.
http://www.malwarebytes.org/beta

Please use built in updater.
Post all bugs here.

Rogue Remover & Pro database update 08/04/2007 {v146}

Version 146 (8/04/07)

[Added]
No applications were added.

[Updated]
Rogue.Infector, Video ActiveX Access

[Removed]
No applications were delisted.

[Notes]
No further comments

http://www.malwarebytes.org/rogueremoverpro.php

The RogueRemover database is now available to be browsed at:
http://www.malwarebytes.org/rogueremoverpro_database_history.php

Posted at Forum:
http://www.malwarebytes.org/forums/index.php?s=&showtopic=1096&view=findpost&p=7113

Note: Please update via the program updater

Malwarebytes' Anti-Malware MBAM 0.65 Beta

Version 0.65 Beta (August 4th, 2007)

1. (FIXED) Optimized database HKEY expansion.
2. (FIXED) Problem with timer counting every 10 seconds.
3. (FIXED) Minor problems with LoadDatabase().
4. (FIXED) Problem with %WINDIR% variable.
5. (ADDED) Compression to database.

Microsoft Internet Explorer 5.5 or higher.
250MHZ processor with at least 64mb of RAM.
Windows 2000, NT, XP, or Vista.
3MB of available free space on hard drive.
Internet access for updating definitions.

Note: You must download the beta by going to the site below.
http://www.malwarebytes.org/beta

Note: You may need to view your e-mail as you probably are not able to download the file using the build in updater.
Post all bugs here.

Malwarebytes' Anti-Malware MBAM 0.64 Beta

Version 0.64 Beta (August 3rd, 2007)

1. (FIXED) Problem with logfiles not creating properly.
2. (FIXED) Various UI improvements.
3. (ADDED) Language strings for monitor.
4. (ADDED) Better error handling to LoadDatabase().
5. (ADDED) Shell context menu.
6. (ADDED) Better program termination cleanup code.

Microsoft Internet Explorer 5.5 or higher.
250MHZ processor with at least 64mb of RAM.
Windows 2000, NT, XP, or Vista.
3MB of available free space on hard drive.
Internet access for updating definitions.

http://www.malwarebytes.org/beta

Please use built in updater. Post all bugs here.

We are nearing a release date.

Malwarebytes' Anti-Malware MBAM 0.63 Beta

Version 0.63 Beta (August 2nd, 2007)

1. (FIXED) Memory leak with program not terminating properly.
2. (FIXED) Settings not saving correctly under certain conditions.
3. (FIXED) Language not loading immediately after being selected.
4. (FIXED) Further compressed certain images.
5. (ADDED) Description of rootkit detection in results list.

Microsoft Internet Explorer 5.5 or higher.
250MHZ processor with at least 64mb of RAM.
Windows 2000, NT, XP, or Vista.
3MB of available free space on hard drive.
Internet access for updating definitions.

http://www.malwarebytes.org/beta

Please use built in updater. Post all bugs here.

WinPatrol 2007(Version 12)

Quote from Bill Pytlovany:

I'm again pleased to announce a new and improved WinPatrol. Thank you for telling your friends and co-workers about WinPatrol. In November we'll be celebrating the 10th Anniversary of WinPatrol. It wouldn't have been possible without your support.

What's New

A. New Scotty Icon
You'll see a brand new icon in your taskbar. Many users are using the default dark theme in Vista and have suggested a new icon so they can see Scotty and feel more secure.

B. Two New Report Options
Folks have been asking for more information especially for helping their friends and family fix problems. Our new version includes two new output formats designed to help diagnose any problem.

1. HijackPatrol Log
The new HijackPatrol Log button on the options screen will create and display a style of output familiar to many online helpers. HiJackPatrol.logs aren't exact duplicates of the popular HijackThis log or meant to replace them but the format should be familiar. HijackPatrol logs will also contain additional information which is routinely monitored by WinPatrol.
2. SpreadSheet Log
Important details will be output in a CSV(Comma Separated Value) format popular with spreadsheets and many database programs. WinPatrol users will be able to sort all their system data in any format they want.

C. Easy Access to PLUS Info
Program properties and PLUS Info have been combined into a single page of information from our extensive online library. Instead of multiple steps, you can now just double click on any filename to access the new improved PLUS format. Free WinPatrol users will also see improved information to help them decide if a program is worthy.

D. PLUS Requests updated for future expansion
This change also allows us to expand our PLUS Info response and provide more specific and helpful information based on more than just a filename. You'll see some additions immediately when using WinPatrol 2007 version 12.

E. Bugs Fixed
Yea, I found one or two
1. Fix size bug in autodetection of Explorer/Run/Policy autostart entry
2. Auto correct screen position errors on multiple monitor systems when registry has been corrupted.
3. Local flag sent for any country code and not just ones currently supported
4 .Secret Startup location checkbox now available immediately after entering PLUS name/code.
5. Found solution to why Scotty's bark was silent in Vista.
6. Fixed bug reading large HOST, WinPatrol History and Netscape Cookie files

Thank you for your support!

http://www.winpatrol.com/upgrade.html

Malwarebytes’ Malware Upload Center

Malware is always mutating and new variants are emerging everyday. If you should discover a file on your computer that our Malwarebytes’ Anti-Malware doesn’t recognize as malware while you suspect it is, then Malwarebytes is inviting you to submit these suspicious file for analysis by our experts.

You can simply send this file to our anti-malware team for investigation by uploading it here.

http://uploads.malwarebytes.org/

Malwarebytes' Anti-Malware MBAM 0.62 Beta

Version 0.62 Beta (July 31st, 2007)

1. (FIXED) Minor optimizations in code.
2. (FIXED) Tabstops in correct order.
3. (FIXED) Shrunk filesize of images.
4. (FIXED) Issues with lockup deleting registry key.
5. (FIXED) Issues with lockup terminating processes.
6. (FIXED) Optimized trim function firing.
7. (FIXED) Changed module enumeration code.
8. (ADDED) Regular file check before rootkit check.
9. (REMOVED) Startup progress bar. It was unnecessary.

Microsoft Internet Explorer 5.5 or higher.
250MHZ processor with at least 64mb of RAM.
Windows 2000, NT, XP, or Vista.
3MB of available free space on hard drive.
Internet access for updating definitions.

http://www.malwarebytes.org/beta

Please use built in updater. Post all bugs here.