Gladiator Research and Security

GSA Reference Number: AD090122-01

Simply Put: Apple has released patches to address multiple vulnerabilities in its QuickTime media player product.   Unpatched QuickTime installations are vulnerable to remote exploitation if users view maliciously crafted files.  These vulnerabilities affect QuickTime version 7.X.

Recently, researchers have discovered millions of PC’s that have been infected with the Conficker worm, also commonly known as Downup and Downadup.  Conficker is a rather nasty worm that can quickly spread itself around networks once entering in a few possible ways.  The majority of systems are first compromised via a vulnerability in Microsoft’s Server service.  This vulnerability, described in MS08-67, could allow remote code execution through specially crafted NETBIOS traffic.  The worm has also been found on compromised web servers and can be installed when users try to view web pages served by the compromised server.

Security researchers have found yet another new technique phishers are using to collect user information.  The new method is called “in-session phishing” and involves creating a pop-up requesting the user to re-enter username and password information for an already open banking session.  First, the site hosting the malicious code will try to detect whether the user has an open banking session.  The malicious site then will create a pop-up that indicates that the banking session has expired and the user credentials must be entered again.  Information then typed into the malicious pop-up will be recorded by the phishers.  Researchers also have stated that the pop-up may be cleverly masked and also can come in the form of customer satisfaction surveys or advertisements.  Since the site is not technically injecting code or files onto the user’s machine, this type of attack will be harder to detect than normal trojans or viruses.

The FDIC has issued an advisory warning consumers and financial institutions about a new email phishing scheme purportedly from the Federal Reserve Bank.  The email claims there are new restrictions in place for wire transfers, and provides a link to two websites providing more information.  These sites attempt to download malicious Trojans onto victim PCs.  A copy of the phishing email can be seen in the FDIC advisory linked below.  As always, Gladiator recommends that users do not click on links contained in unsolicited email.  If you already received this phishing email and clicked on one of the links, Gladiator recommends that you run a full antivirus scan of your PC.  Furthermore, you can try running a malicious software removal tool, such as Malware Bytes Anti-Malware, in an attempt to find any other unwanted programs.

Microsoft has announced a patch for a critical vulnerability affecting several versions of Windows for both servers and workstations. The vulnerability could allow a remote attacker to access a system with full privileges.

Part 1 – Recognizing an Infection
Part 2 – Incident Response Plans and Procedures

Introduction

We’ve all been faced with the following situation at one time or another.  Imagine you’ve just walked in the door of your office, and one of your coworkers comes up to you complaining that his computer is running slowly.  You tell him that is normal in the morning, but then he says his web browser keeps popping up new windows and then crashing.  Of course, he forgets to mention that he was on a flash game website when it all started, until you get to his desk and discover this for yourself.  So, now what do you do?  You suspect this machine has a virus or some other type of malware, but you aren’t sure.  The computer has fully-updated virus definitions and a full system scan didn’t find any malware.  But is the machine safe?

In Part 1 of Malware Basics, we’re going to review some signs that a machine may have malware.  Then we will go over some useful tools for identifying suspicious files even if your antivirus suite does not detect anything.  Finally, we’ll talk about how to identify what type of malware you found.  Part 2 of this series will deal with Malware Incident Response.

There’s a buzz on the Internet about a new attack against SSL certificates used to secure website communications.  Researchers have been able to create new certificates for existing websites that appear legitimate to web browsers.  That means if a user is browsing a fake website using HTTPS, his web browser will accept the certificate as valid.  There will be no warning messages or approval dialog boxes.  This could be detrimental to the Internet’s secure communications model, but how bad is it, really?