trend micro – Paul's Tech Talk

WordPress Security Tips — For the untrained :

PaulJune 10, 2009

I was reading over at Malware Diaries, about a hacker that doesn’t secure his exploits. What gets me is that I am so surprised that he did that, then I thought about it and I read what Trend Micro had to say about it:

Creating a website is indeed a big task but, considering the present threat landscape, monitoring it and keeping it secure from attacks is a bigger one.
Website administrators have the responsibility to keep their systems malware free, secure web server files from unauthorized access, and keep their website clean of malicious codes, for their own sake and most especially, their visitors’.

[via Trend Micro blog]

[ad]Now admittedly Trend talks about the [intlink id=”3578″ type=”post”]Gumblar[/intlink] and how they compromise websites with either a FTP password stealer or and SQL Injection. These are a common practice with hackers and thief to get the credentials to use your server for their means. So I wanted to talk about some things you can do to better protect your WordPress blog. Since I have a WordPress Blog this was something I know about.

WordPress Security Scan — This is a great plugin to help you identify and also suggests how you can fix them to prevent a hacker from getting in the first place.

Block Wp-Folders from being Indexed — This can be done by going to your robots.txt file and making sure it says:

Disallow: /wp-*

Protect your Wp-admins folder — Attackers can use brute force attacks to without much waiting to get access to your Wp-admin page so you should:

Login Logger Plugin — This is good to see if anyone is trying to login and keeps a log for those instances where you might need to block a certain IP in the .httpaccess file section.

Limit Login Attempts plugin — This has a set amount of login before that IP is locked out for a certain amount of time. You can have it set to what you want an hour or more, it just depends on your preference.

Bad Behavior — This is a good little plugin to help with spam such as referral spam and comment spam. I’ve been using it for the past few months and my referral spam has dropped drastically to almost Zero.

These are just a few things I’ve done to help protect my blog and protect my community and users. I will not disclose everything because I have to keep those bad guys from getting in but I have I hope started you in the right direction. I would also suggest using something like [intlink id=”2646″ type=”post”]Roboform[/intlink] that comes with a password generator to use that with your wordpress login password. This will also help prevent from gaining access easily.

Hackers Jump onto Power Point Exploits : KB969136

PaulApril 3, 2009

In my Previous post, we talked about Microsoft [intlink id=”3280″ type=”post”]Advisory for KB969136[/intlink] and the exploit was in the wild. It looks like Trend Micro has published some new spam attempts to get the users to open up the Maleware for them to deposit TROJ_PPDROP.AB onto there systems.

[ad#cricket-right-ez]Trend Micro has some screen shots of the most common Fake Presentations for you to see just how they try to get you to open the file.

Although these are some common tactics for attackers to use such as nude pictures, Earth Hour, or Celebrities without Makeup, users who don’t normally use PPT should check the files out before you load them. You also should remember to save them to a file and [intlink id=”2205″ type=”page”]scan them with your Anti-virus software[/intlink], also it wouldn’t hurt to have a firewall software. It looks like these exploits tries to connect to the internet and you might be able to find out by the request from the firewall.

According to Internet Storm Center, the CVE place Holder for this is CVE-2009-0556 and hasn’t become live yet. I do not think they will release that information until they get a chance for Microsoft to patch the systems.

This would be a good time to remind IT staff and anyone who might use Power Point that they should not open anything they aren’t expecting and even then they should verify with your IT staff that it is safe until Microsoft issues a patch for this. I expect that if this become widely used it will be released out of Cycle or even In May’s Patch Tuesday. According to Microsoft you could install Microsoft Office Isolated Conversion Environment (MOICE) but requires Office 2003 and Office 2007 systems. Find out how you can use this work around at Microsoft’s Advisory of KB969136 for further instructions.

You won’t make money from W32:Sality.ao

PaulFebruary 23, 2009

People should be cautious of the making money because there is a variant out there trying to leverage the users into thinking they can make money.

McAfee Says “W32/Sality.ao is a parasitic virus that infects Win32 PE executable files. It infects files (*.exe and *.scr files) on the local, network and removable drives by overwriting code in the entry point of the original file and saving the overwritten code in its virus body. It then appends the virus body to the host file.”

Aliases for this Virus is:

PE_SALITY.JER (Trend Micro)

Virus.Win32.Sality.aa (Kaspersky)

Virus.Win32.Sality.y (Ikarus)

Virus:Win32/Sality.AM (Microsoft)

W32.Sality.AE (Symantec)

W32/Sality-AM (Sophos)

W32/Sality.AE (Norman)

W32/Sality.AH (Panda)

W32/Sality.AK (F-Prot)

Win32.KUKU.a (Rising)

Win32.Sality.OG (BitDefender)

Win32/Sality.AA (VET)

These links should help people understand it it. You can visit my Malware Resources to help remove this virus. Something to consider before removing this is to disable your restore points.

Remember there’s no easy to make money, the only real way is to work hard. According to my research the Anti-virus companies have ways to remove this virus and as long as you update your database.

Internet Security Companies Warn about Patch Tuesday and Valentines Day.

PaulFebruary 9, 2009

With Tomorrow being released some very highly rated Remote Code Execution to become Zero day in very short time. Some researchers are speculating about more viruses will be released in conjunction to Valentines day. According to this one post it will be likely to be E-cards being sent to try to lure you into downloading Malware.
[ad#ad2-right]

Various security vendors, including CA Inc, MX Logic Inc., Trend Micro Inc., and Panda Security, have issued alerts about new Valentine’s Day-themed spam campaigns that try to dupe users into installing the Waledec bot.

Researchers note that many websites which are affiliated to Waledac e-card scam have been recently updated with content based on the Valentine’s Day theme.

Web sites distribute Trojan files which are commonly named love.exe; onlyyou.exe; you.exe; youandme.exe; and meandyou.exe and the list is not exhaustive.
[Via Express Buzz]

So which ones will likely be the exploits they will use? I have a few theories on that and One of them is the INTERNET EXPLORER vulnerability that will be patched and will try to get you to launch the link and will most likely try to launch it in Internet explorer, That would be my guess. It seems to be Internet Explorer 7 and Below which will be patched so if you want to try out the IE 8 Beta, You should be safe on that. Although the best bet is to prevent users from clicking links in emails and also warning them not to open any attachments they are not expecting. I’d also have the AutoPatcher ready to install the lastest patches for this Tuesday and schedule a time this week to update all the possible systems involved with the Databases. Although this isn’t one that tries to steal your data it is however a chance the writers to look at what you have and you know how that can be call a data breach. So if your the IT for the department I’d suggest sending out warnings so they can keep from being caught with their pants down. I’d also suggest having Anti-Virus and free Firewall installed on all the major systems and it wouldn’t hurt to have the installed on minor systems if at all possible.

Figuring out the Email-Worm Win32.Zafi.b

PaulDecember 13, 2008

This is another just I just saw on the web and wanted to talk about what this little Worm does and what it’s known Aliases:

Email-Worm.Win32.Zafi.b (Kaspersky Lab) is also known as: I-Worm.Zafi.b (Kaspersky Lab), W32/Zafi.b@MM (McAfee), W32.Erkez.B@mm (Symantec), Win32.Hazafi.30720 (Doctor Web), W32/Zafi-B (Sophos), Win32/Zafi.B@mm (RAV), PE_ZAFI.B (Trend Micro), Worm/Zafi.B (H+BEDV), W32/Zafi.B@mm (FRISK), Win32:Zafi-B (ALWIL), I-Worm/Zafi.B (Grisoft), Win32.Zafi.B@mm (SOFTWIN), Worm.Zafi.B (ClamAV), W32/Zafi.B.worm (Panda), Win32/Zafi.B (Eset)

[ad#ad2-left]This worm spreads via the Internet as an attachment to infected messages, and also via local and file-sharing networks.
It is written in Assembler, and packed using FSG. It is 12800 bytes in packed form, and 33292 in unpacked form.

This Worm seems to be running through email and file sharing sites, One thing it tries to do is stop the process and deletes:
fvprotect.exe
winlogon.exe
jammer2nd.exe
services.exe

It attempts to detect antivirus program files on the computer and overwrite them with a copy of itself.

[ad#ad2-right]It also attempts to conduct DoS attacks on the following sites:

www.2f.hu
www.parlament.hu
www.virusbuster.hu
www.virushirado.hu

This seems to be a very big virus and can be removed with the use of Kapersky Virus removal tool for free for this type of virus. In order to prevent this virus in the future the user has to remember about not getting opening unknown documents or emails and not running any unkown program from an unknown file sharing. Also remember you need to have an anti-virus and also a firewall to protect yourself in the future.