Managed Solutions » exploits

Duqu in the wild, not the drivers you were looking for.

Joe Hackman — Wed, 19 Oct 2011 11:30:45 +0000

Duqu not Dooku, Image Credit Tracheotomy Bob

The Duqu Remote Access Trojan (RAT) that hit the wild in Europe this week is not a character in the latest Star Wars movie. While it sounds like a George Lucas inspired character duqu comes from the ~DQ prefix that researchers noticed this previously unknown malware was adding to files it creates when it was discovered. I am sure Dairy Queen is happy with their choice. Joking aside this virus is no laughing matter. It seems to have been written by the authors of or with the benefit of the Stuxnet source code. Stuxnet is the virus that was believed to have setback the Iranian nuclear program last year. It’s smaller and appears to be designed to spy on infected computers with a combination of a key stroke logger, a data siphon and remove itself after eluding detection for 36 days.

A new breed of threat

One disconcerting aspect of this particular Trojan is that one of the drivers in a variant used a signed certificate of a known organization in Taiwan. That means that a windows machine will treat that driver as a legitimate driver, just like one you’d download to access a new hardware device on your Windows PC. Luckily the certificate has been revoked. This particular malware mask’s it’s presence on the infected machine quite well providing a challenge to detect.

What can you do to protect yourself?

All of the best practices that apply to information security will help you avoid Duqu. This includes:

Keeping your critical components up to date.
Cautious web surfing and Email habits.
Avoid public charging kiosks.
Avoid flash drives from unknown sources.

Did you already get infected? You might want to visit the post virus opportunity center.

Can we prevent this?

Seeing as the machines that were infected with this Trojan were hit when it was “Zero-Day” it is prudent to consider what other means may have prevented the infection. If it ends up that this virus communicates with hosts in remote countries that a security solution I recently proposed would prevent the infection from transferring or downloading any information rendering it useless.

More information

If you found this article helpful or interesting please share it with your friends.

Windows and Mac both vulnerable to potential USB Vulnerability

Joe Hackman — Mon, 31 Jan 2011 16:51:50 +0000

There are bulletins at us-cert.gov today for both Windows and Mac OS X being vulnerable to potential Human Interface Device (HID) functionality over USB exploit. The simplest way to explain this vulnerability is that both OS X and Windows lack a warning when you connect a USB connected device such as a smart phone when it is given keyboard or mouse capability. This could lead to a number of different compromises of the host system. This vulnerability has existed since USB HID support was added to both operating environments but was only publicly demonstrated recently. An example was demonstrated at the Black Hat DC conference, Cnet ran an article about it on January 19th.

Other USB related risks

USB connected devices have become a more common source of virus and malware infections. In 2010 there was actually a worm that spread via USB memory sticks called “Conficker” worm. As early as 2008 USB was becoming recognized as a much more common vector for virus propagation.

Protecting yourself

Since USB devices involve user interaction, it is an area where user education and caution is key. We can count on Apple and Microsoft to respond to this HID issue, but we can also say with certainty that there will be others that will come up in the future. Here are some simple suggestions to prevent becoming a victim:

Tips for individuals

Store your USB storage devices in a safe place.
Use memory sticks only from extremely trusted sources.
Do not allow others to use your computer to charge their USB devices.
Purchase memory sticks from trusted sources in clearly sealed packaging.

Extra tips for businesses

Include an area that governs USB devices in your Acceptable Usage Policy (AUP).
Do not allow third parties to use USB devices or charge phones on your corporate systems.
Consider implementing software or software policies that control access to USB ports on your systems.

You might also want to read these related articles on how you can function more securely:

Education: the Answer to Zero Day Exploits
Good Personal Choices – the most powerful Information Security Tool

Large batch of Google Chrome Vulnerabilities and How to Protect Yourself

Joe Hackman — Mon, 24 Jan 2011 17:23:14 +0000

There is a rather large batch of critical Chrome Vulnerabilities in this weeks US CERT advisory report SB11-024. The CERT Advisories are part of a US Government effort to keep people informed of product security issues. Most of them have a factor of 9.3 to 10 out of 10, the highest possible which means if exploited on your computer it is likely that the attacker could gain access to your computer. The actual bulletins include PDF and HTML document handling, denial of service and unknown impacts that lead to “stale pointer”. This would most likely occur when accessing a website or a PDF file with a vulnerable version of the Chrome browser.

Who should care?

Do you use the Chrome Browser or Chrome OS? If you do then you should take action to confirm that you will not be vulnerable.

How to tell

With your Chrome Browser open click the small tool icon in the top right of the browser window pictured below:

Once the above drop-down menu appears click the “About Google Chrome” menu item. This will result in a screen that will tell you if your browser is up to date and what version it is running:

The critical piece of information is the green check mark at the bottom of the page. If Chrome is not update or in this case is a version older than 8.0.552 your browser is vulnerable and needs to be updated. In most cases Chrome will be up to date as it is configured to update automatically. This is actually one of the strengths of this browser platform.

Joe Reviews SB10-242 Cert Report (Video)

Joe Hackman — Mon, 30 Aug 2010 08:32:22 +0000

Here is a review of this weeks Cert Advisory. This includes issues with Adobe products, Chrome and Mozilla Firefox. Be sure to update these products if you haven’t recently. This is a weekly feature here at Managed Solutions. If you have questions about this video post a comment here or ask on our Facebook Fan Page.

Joe Reviews SB10-221 Cert Report (Video)

Joe Hackman — Mon, 09 Aug 2010 19:32:22 +0000

Here is a review of this weeks Cert Advisory. This update contains issues with Apple iTunes, Safari and Mozilla Firefox. Be sure to update these products if you haven’t recently. This is a weekly feature here at Managed Solutions. If you have questions about this video post a comment here or ask on our Facebook Fan Page.

Plague of Adobe Acrobat and Reader Vulnerabilities Continues

Joe Hackman — Wed, 07 Jul 2010 17:33:13 +0000

I seem to write a post on this once a month minimum. When I opened this weeks Cert advisory there were 14 9.3 vulnerabilities for Adobe Reader and Acrobat. This plague of vulnerabilities and the related exploits that have popped up remind me of Internet Explorer 5 years ago. So here at Managed Solutions we are once again advising our clients to apply any updates to Adobe products when prompted or to exercise extra caution with .pdf files. Here is the menacing list of vulnerabilities announced on 6/30/2010:

14 Adobe Acrobat Vulnerabilities

Why you should not bypass Java and other Updates

Joe Hackman — Mon, 05 Apr 2010 23:56:07 +0000

A very common complaint by end users involves “automatic updates” and some people go to great lengths to avoid them. We published this quick tip about when and how to run them to minimize the impact. There are several programs that you should think twice before bypassing or ignoring the update:

Windows Critical Updates
Adobe Acrobat
Flash Viewer
Oracle/Sun Java

The last item on this list is the primary purpose for this post, check out this bulletin from March 2009 related to Oracle Java. There were a total of 27 new security fixes:

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 27 new security fixes across all products.”

So please, when you get the notices for these updates – run them. Another great way to avoid many of these problems is to operate your computer with an account that has lower permissions. We will write a follow up describing how to do that and why.

If you’d like to see a chronological history of the Java updates or see if there are new ones go here. You can also add them to your RSS reader here.

Update Microsoft Office Products – Joe Reviews SB10-074 Cert Report (Video)

Joe Hackman — Mon, 15 Mar 2010 19:24:22 +0000

Here is a review of this weeks Cert Advisory. This update contains the infamous Arucer.dll that came with the charging software on the Energizer Duo USB. Also definitely recommend updating your Microsoft Office products if you haven’t recently. This is a weekly feature here at Managed Solutions. If you have questions about this video post a comment here or ask on our Facebook Fan Page.

Update Adobe Acrobat, Again – Joe Reviews SB10-060 Cert Report (Video)

Joe Hackman — Fri, 05 Mar 2010 20:22:57 +0000

Here is a review of this weeks Cert Advisory. Adobe Acrobat has returned, please be sure to update! This is a weekly feature here at Managed Solutions. If you have questions about this video post a comment here or ask on our Facebook Fan Page.

Google Chrome Vulnerabilities – Joe Reviews SB10-053 Cert Report (Video)

Joe Hackman — Thu, 25 Feb 2010 04:35:11 +0000

Here is a review of this weeks Cert Advisory. Surprising number of Google Chrome issues this week, luckily Chrome is updated constantly and quietly without prompting. This is a weekly feature here at Managed Solutions.