Mebroot becomes More Stealthier!!

Well Here is something we should all be on the look out for:
[ad#cricket-right-ez]

Thousands of Web sites have been rigged to deliver a powerful piece of malicious software that many security products may be unprepared to handle.

Mebroot inserts program hooks into various functions of the kernel, or the operating system’s core code. Once Mebroot has taken hold, the malware then makes it appear that the MBR hasn’t been tampered with.

[Via Pcworld Magazine]

I will be updating my [intlink id=”2205″ type=”page”]Malware Resource[/intlink] for the Prevx Software, but this looks to be a very bad root kit.  From my understanding most of the security related software.   It seems this little program will become even harder to detect and remove.   It also looks like this is ready to start infecting people with this root kit.   You should update every part of your system from [intlink id=”3327″ type=”post”]Windows Patches[/intlink] to Browser. [intlink id=”2229″ type=”post”] Securnia once said[/intlink] that most people are not patched fully!!  Just like the [intlink id=”3301″ type=”post”]Conficker Worm[/intlink], if your not fully patched and keeping anti-virus and Firewalls on your system then you might as well be walking on nails.

And the Oscar goes to . . . Not these guys!

Sans Internet Storm is reporting on Anti-virus Scareware tactic. I’ll quote from them:

[ad#ad2-right]

ISC reader Gary wrote in to let us know that searching for “oscar presenters” and “oscar winners” with Google brings up a prominently ranked result on a web server in Poland, on a subdomain of “beepl”, which – surprise, surprise – includes a malicious JavaScript. The end result currently seems to reside on stabilitytracewebcom, and is yet another incarnation of the “Fake Anti-Virus Program” malware that we have covered repeatedly. Watch out, the EXE has a meager 6/39 on Virustotal.
[Via Sans]

I did my own research and it is true they are at least 3 sites with the .pl Domain that are used to send you to these fake sites. You should consider checking your system for possible viruses if you been to these sites and are worried. You should also report any site like this to Phishtank to fight this type of scare tactics. Please remember if you are worried about your system this is the best time to install software to prevent these types of scare tactics. Remember you don’t always have to buy software to be safe. There are free anti-virus and Firewall solutions at your fingertips, use them well. It is also a good idea to make sure you have the latest updates from Microsoft while your at it.

PDF Zero Day Vulnerability in the Wild

From sources all over the internet, Adobe made a sent out a Security bulletin yesterday:

APSA09-01 (Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and Acrobat)

[ad#ad2-right]A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.

Adobe Plans on patching this March 11, 2009

and According to some other reports are saying:

Symantec Security Response has received several PDF files that actively exploit a vulnerability in Adobe Reader. We are continuing to remain in contact with Adobe on this vulnerability in order to ensure the security of our mutual customers.

[via Symantec]

With PDF files being used all over the business world, this will create undo problems with the IT Field.  This also could be used to make Botnets and make the network involved become sluggish.   It must be warned that there are a whole wide variety of possibilities that could be done with this exploit.  Shadowserver Foundation recommends disabling the Javascript in your Adobe Reader.  Until the patch comes out you will need to be careful on what you open up and possibly check each and every PDF with an Anti-virus.  This should help minimize the likely hood of getting a virus or Trojan, but is not going to be a 100%.  The only way you can prevent a 100% right now is not to use PDFS until they have Fixed this problem.

Microsoft released KB951847 out of Cycle For January

I woke up this morning and found this was released KB951847.  here is what it is:

kb925492 FIX: Error message when you add a Web reference to a project in Visual Studio 2005: “The custom tool ‘MSDiscoCodeGenerator’ failed”
kb928563 FIX: The System.Net.HttpWebRequest class may not maintain a persistent connection to a proxy in the .NET Framework 2.0
kb943175 FIX: The XmlSerializer class generates an unexpected result when you use the XmlSerializer class to serialize the numeration attribute in the .NET Framework 2.0
[ad#ad2-right]kb943412 FIX: You may experience delays when an operating system shuts down if the computer is running a managed service together with the .NET Framework 2.0
kb943804 FIX: Certain Unicode characters returned by the Application.ExecutablePath property in the .NET Framework 2.0 are displayed as “?”
kb944099 FIX: Error message when you use the SQL Native Client data provider to connect to an instance of SQL Server 2005 that is configured to use database mirroring: “Internal .Net Framework Data Provider error 6”
kb944100 FIX: You cannot access tables that are used in a SQL Server transaction if you end the thread that executes the transaction before the transaction is finished in the .NET Framework 2.0
kb944157 FIX: You may experience a significant delay when you make the first request to an ASP.NET Web application that is running on Windows Server 2003
kb946102 FIX: An ActiveX control will not receive keyboard navigation events when you use a System.Windows.Forms.WebBrowser control to host Web pages
kb946223 FIX: The input language in a text box on the Microsoft Expression Design surface does not function correctly when you change the input language to an East Asian language
kb946411 FIX: When you print an XPS file on a Windows XP Service Pack 2 or Service Pack 3-based computer, the characters in the XPS file print incorrectly
kb946503 FIX: Error message when you use the installer tool to install an assembly that is located on a remote computer: “An exception occurred during the Install phase”
kb946660 FIX: The headers attribute of a cell is rendered incorrectly when the cell is associated with multiple headers in an ASP.NET 2.0 Web application
kb946927 FIX: An installation may fail with error 1935 when an .msi file tries to install many policy files on a computer that has the .NET Framework 2.0 installed
kb947148 FIX: Incorrect methods are called when you call some COM APIs that are included in a .NET Framework 2.0-based 64-bit application
kb947317 FIX: In a Windows Forms application that was built by using the .NET Framework 2.0, the CurrencyManager object triggers additional instances of some events when you delete the last row from a table
kb947461 FIX: An update package is available for the .NET Framework 2.0 Service Pack 1
kb947581 FIX: The value of the “WsdlContractConversionContext.WsdlPortType” property is null in the .NET Framework 3.0 Service Pack 1
kb948233 You receive a System.InvalidOperationException exception error when you run a Microsoft .NET Framework 2.0-based application after you install security update MS 07-040 on a computer
kb948646 FIX: Objects are not serialized correctly when you serialize and deserialize the DataSet objects by using the SerializationFormat.Binary format parameter in a .NET Framework 2.0-based application
kb948815 Availability of the .NET Framework 2.0 post-Service Pack 1 hotfix rollup package for System.Data.dll and System.Data.OracleClient.dll
kb948873 FIX: You may receive a System.Xml.XmlException exception when you use one-way Web methods to communicate with Web services in a .NET Framework 3.0-based application
kb948887 FIX: An exception occurs when a Web application that is based on the .NET Framework 2.0 uses the HttpWebRequest class and receives an HTTP 1.0 response that contains the HTTP status code 401
kb949272 FIX: A Windows Forms application that uses ActiveX controls may crash, and a null reference exception occurs after you install the .NET Framework 2.0 Service Pack 1
kb949777 FIX: Error message if you deploy an executable application to a path that contains escape characters in the .NET Framework 2.0: “Absolute path information is required”
kb950230 FIX: You receive a System.ArgumentException exception error message when you use the Sgen.exe tool and the XmlSerializer JIT compiler to generate an XmlSerializer assembly for a Web service proxy in the .NET Framework 2.0
kb950986 FIX: In the .NET Framework 2.0 Service Pack 1, the ModuleBuilder.GetTypeToken method returns an incorrect token
kb951111 FIX: Warning message when you use the SvcUtil.exe tool to import service metadata in the .NET Framework 3.5: “The policy expression was not fully imported because it exceeded the maximum allowable complexity”
kb951113 FIX: The set of values returned from the row.GetColumnsInError method is empty when a client computer that has the .NET Framework 2.0 installed receives a DataSet object from a WCF service
kb952324 FIX: You cannot download the .application file when you deploy an application by using ClickOnce deployment in a secure environment

[ad#ad2-left]As you can see this fixes 30 things in this one service pack.  I see one or t wo things that might be exploitable and that is why they released this out early.  The ones that I see are Like the ActiveX controls.   I don’t know why but this is for all systems on windows or at least it doesn’t say anything other wise.  This is .net frame work and should be installed quickly as possible.   You should also consider making a new Autopatch ISO to install into all the necessary computers.  Also if you haven’t installed a Free Anti-virus or goodFree  Fire
wall
now is a good time to install them also.  I would expect this to Service Pack to have to reboot your system but other than that you should be fine.

*UPDATE*

After installing this service pack, I couldn’t web browse.  It is one of 8 updates that were installed in the service pack that will need to be resolved so I will be having to install the service pack again and then start uninstalling until I get my web browsing back.  You May need to reboot each time to clear it out of the system before you get your internet browsing back.   The recommended procedure is to write the ones you remove so you can go back in install them later once you find the main update that is causing the problem.  I’ll update when I find out the one that is causing the problem!!

*Update #2*

I did a system restore for Thursday night just before I upgraded my AVG program. (It also needs to be restarted to update the core of AVG).  I installed the Service Pack and it seems to be running.  I am thinking there is a conflict with AVG and The Service Pack now.  I am updating AVG to the current version and rebooting.  I’ll see after that!