Threat Report 2010-02-11

Tim’s Threat List is a weekly publication created as a service for Rutgers University faculty, staff and students and gathered from a variety of different sources.  Due to the dynamic nature of technology, threats and warnings will change frequently.

Covered operating systems include Windows, MacOS, Solaris, RedHat, Fedora, Debian, and Ubuntu. Covered exploits and vulnerabilities include those known or suspected of allowing unauthorized remote access, privilege escalation, or significant DoS.


This week: Microsoft Patch Tuesday, and Do anti-virus products help anymore?


Micosoft Patch Tuesday

This month Microsoft brings us 13 security patches of varying criticality. At least two of them can result in a remote compromise of the system (although the second requires IPv6.) The description of MS10-006 is particularly worrying:

An unauthenticated remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to a client-initiated SMB request. An attacker who successfully exploited this vulnerability could take complete control of the system.

This is not the first time, or probably the last, that windows file sharing has had a serious remote vulnerability. IPS recommends that everyone disable or firewall file sharing on their Windows systems or else carefully permit only authenticated users from specific IP addresses to connect to the service if it must be active. Luckily the University firewall does block incoming SMB packets so departments 'only' have to worry about attackes from 15,000 resnet students and other infected departments rather than the whole of the internet.

The remainder of Microsoft's patches include several that can result in system compromise if the user can be convinced to open a file or click on a link. This is not as serious as a remote exploit, but still worrying given how many users at Rutgers will willingly take such actions.


Do anti-virus products help anymore?

Many people around Rutgers complain about the effectiveness of our site licensed software (Trend Micro Office Scan) to IPS when we contact them and tell them they have been compromised. I will not go into a comparison of Trend vs the competition here, but an interesting report was  recently released that compares the use of AV tools to going without. The study found that 32% of systems with up to date AV software were infected anyway while 46% of system without such software were infected. So the difference between using AV or not is still significant and it is still worth the cost/effort. However, the days when just running AV software was enough to protect you are long gone; do not expect AV software to solve malware problems all by itself.

Would you like to improve the effectiveness of Trend Micro on your Rutgers systems? RADS has some default settings you can change to make improvements:

  1. Change the real-time scan settings to include files 'created/modified and retrieved' and choose 'All scannable files'
  2. Set up a nightly scheduled scan to check all local drives for malware and select 'All scannable files' rather than 'IntelliScan'.


Weekly Malware Report

The following are the top 5 most prevalent malware threats seen by RADS protected clients in the last week.

Virus Name Total Infections
Mal_VundoG 3,089
Mal_DLDER 1,450
Mal_Otorun2 1,200
Vundo causes pop-up advertising to appear on an infected system. Infection is normally through some form of user interaction such as drive-by download, clickjacking, or by installation as part of a grayware software package. It may disable virus scanners and windows autoupdate.


Weekly IDS Report

The following are the top 5 most prevalent signatures tracked by IPS' Intrusion Detection System for the past week. IPS runs a selection of signatures from Emerging Threats, SOURCEfire, and our own custom sauce.

Signature Name Total Alerts
ET SCAN Unusually Fast 400 Error Messages (Bad Request), Possible Web Application Scan 73795
ET USER_AGENTS Spyware User Configuration and Setup Access 9373
ET TROJAN Hupigon User Agent Detected (??) 8701
ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection 6525
ET USER_AGENTS IE Toolbar User-Agent (IEToolbar) 6367


Significant Updates, Advisories, and Vulnerabilities:

Extremely CRITICAL*


Moderately CRITICAL*

*Threat severity classification definitions

The Office of Information Technology, Division of Information Protection and Security (OIT/IPS)