You are currently browsing the articles from MS Windows Vista Compatible Software matching the category
A
Written by bardissi on November 12th, 2007 with no comments.
Read more articles on TechSoup and Spyware & Malware and Anti-Virus and Computer Security and CompuMentor and Non-Profits and symantec and Business Computer Support and Windows XP and Non-Profit Technology and Network Infrastructure and Microsoft and Windows Vista.
A
Written by bardissi on November 12th, 2007 with no comments.
Read more articles on Anti-Virus and Windows 2000 and Computer Security and Seagate and Maxtor and Spyware & Malware and Student Computing and Business Computer Support and Windows XP and Home Computer Support and Non-Profit Technology and Network Infrastructure and Windows Vista.
A
Written by bardissi on November 5th, 2007 with no comments.
Read more articles on Spyware & Malware and Lavasoft and Student Computing and Network Infrastructure and Home Computer Support and Non-Profit Technology and Business Computer Support.
A
Written by bardissi on November 5th, 2007 with no comments.
Read more articles on Spyware & Malware and Student Computing and Lavasoft and Windows 2000 and Anti-Virus and Mac and Network Infrastructure and Windows XP and Business Computer Support and Home Computer Support and Non-Profit Technology and Windows Vista.
26 October, 2007
On Monday 22 October, we published an alert about a serious vulnerability that affects RealPlayer 10.5 and RealPlayer 11 beta running on Windows. By enticing one of your users to a malicious Web site, an attacker can exploit this vulnerability to execute code on your user’s computer, with your user’s privileges. In the worst case scenario, the attacker could gain total control of the victim’s PC. RealNetworks released a patch to fix that problem. However, it appears that update marked just the beginning of RealNetwork security holes.
Late yesterday, RealNetwork released the second batch of security updates this week, this time fixing six serious vulnerabilities in their media player product line. Here’s what you need to know about the new flaws.
The new flaws affect many more products than the earlier flaw did, including products that run in OS X and Linux. The affected products now include:
Though these new flaws differ from one another technically, they share many similarities. For example, all six flaws involve buffer overflow vulnerabilities triggered when RealPlayer parses specially crafted media files. They also share the same scope and impact. If an attacker can entice one of your users into downloading a maliciously crafted media file, then playing it in RealPlayer, the attacker can exploit any of these vulnerabilities to execute attack code on that user’s computer. Depending on the user’s privileges, an attacker could even exploit these flaws to gain control of the victimr’s machine. The only notable difference among the flaws is that an attacker uses a different media file format to exploit each one. The potentially dangerous media files that trigger these flaws are:
Unlike the flaw covered in our 22 October alert, RealNetworks has not found attackers exploiting these new flaws in the wild yet. Nonetheless, these security holes pose a serious threat to RealPlayer users. You should download, test, and deploy these new patches as soon as you can, whether or not you applied the previous RealPlayer update from Monday. How you download the updates differs depending on which product you use. Refer to the “Instructions” section of RealNetworks security update for detailed directions on patching the different media player products.
As a convenient reference, we’ve duplicated the 22 October RealPlayer alert, below. You can also find it in the LiveSecurity Latest Broadcasts archive.
Late Friday, RealNetworks released a patch for a critical vulnerability affecting RealPlayer 10.5 and RealPlayer 11 beta running on Windows. By enticing one of your users to a malicious Web site, an attacker can exploit this vulnerability to execute code on your user’s computer, with your user’s privileges. In the worst case scenario, the attacker could gain total control of the victim’s PC. If you allow the use of RealPlayer in your network, have your users upgrade immediately.
RealPlayer and RealOne Player are widely-used software for Internet media delivery. RealOne Player plays virtually every major Internet media format, including Windows Media, Quicktime, MPEG-4, and even DVDs. If you’ve watched streaming videos on the Internet, or listened to music samples while buying CDs online, you’ve probably encountered RealPlayer.
WatchGuard does not recommend using RealPlayer or RealOne Player, partly because both contain automatic communication features which, by default, let RealNetworks and RealNetwork’s “partners” (such as NASCAR and CNN) install software on your client computers. But in reality, many of your users have probably installed one of these products, with or without your permission.
In a security update released late Friday, RealNetworks warned of a new vulnerability that affects RealPlayer 10.5 and 11 beta running on Windows. (OS X and Linux users are not affected.) The flaw, discovered in the wild by Symantec, involves a buffer overflow vulnerability in one of RealPlayer’s ActiveX controls (specifically, ierpplug.dll). By enticing one of your users to a malicious Web site, an attacker can pass an over-long parameter to the vulnerable ActiveX control, which triggers the buffer overflow flaw. The attacker can then exploit the flaw to execute code on your user’s computer, inheriting your user’s privileges. Windows administrators often give users local administrator rights. If the exploit is successful in that context, the attacker would gain complete control of your user’s machine.
Symantec found attackers exploiting this vulnerability in the wild. In other words, the bad guys found the flaw first and are actively using it to break into computers. If you use RealPlayer in your network, this vulnerability poses a critical risk. You should apply RealNetwork’s update immediately.
RealNetworks has released a patch to correct this vulnerability. Clients who use RealPlayer 10.5 or 11 beta in Windows should upgrade immediately, or remove the software entirely. You can download RealNetwork’s patch here.
The vulnerability described in our alert uses normal HTTP traffic, which you must allow for your users to browse the Web. If you use RealPlayer in your network, you should download RealNetwork’s update as soon as possible.
RealNetworks has issued a Security Update that fixes the problem.
Written by bardissi on October 26th, 2007 with no comments.
Read more articles on Watchguard and Student Computing and Non-Profits and Spyware & Malware and Computer Security and Microsoft and Network Infrastructure and Windows XP and Business Computer Support and Home Computer Support and Non-Profit Technology and Windows Vista.
by Corey Nachreiner, CISSP, Network Security Analyst, WatchGuard Technologies
[Editor’s Note: This article supplements the list of attacks shown in Part 2 of the video series, Malware Analysis: Botnets. “Malware Analysis: Botnets, Part 2″ shows a small subset of botnet attacks in action. This article fills out that subset with more attacks commonly found in a bot herder’s arsenal. LiveSecurity subscribers can find the videos, free of charge, on our Video Tutorials page. –Scott]
You’ll often hear botnets described as a “hacker’s Swiss army knife.” Just as a Swiss army knife can come with a crazy variety of blades, scissors, and screwdrivers, bots come with numerous exploits and commands that allow bot herders to launch many different types of attacks.
Since coding up a bot client takes time and skill, most attackers buy bot code in the online underground. Popular malicious bots include Phatbot, Agobot, and the one shown in our video, Rxbot. These bot clients use modular code, so if a bot herder doesn’t love the array of commands his bot offers, he simply adds new ones. For examples, read on.
Bot herders commonly leverage their bots as huge spam relays. How huge? According to a recent study by Commtouch, 87% of all email sent over the Internet during 2006 was spam. This e-junk generated up to 1700 terabytes (1,700,000,000 megabytes) of Internet traffic every day. Botnets generated 85% of that spam, a tidal wave of unwanted mail.
Most bot code comes with at least a few commands to make spamming easier. Some bots are even optimized specifically for spamming. A bot herder using Phatbot can issue the command harvest.emails to collect every email address on a victim’s computer. If a Phatbot herder’s botnet consists of thousands of victim machines, he could quickly and easily create gi-normous email lists to later spam.
Agobot is customized for spamming. It even includes its own SMTP engine so that it can spam directly. Its email spamming commands allow an Agobot herder to tell each of his victim’s computers to:
The bot in our video, Rxbot, is not considered a spamming bot. However, even it contains an elementary command that allows a bot herder to send an email from all his zombie victims.
Many bots include a SOCKS server. SOCKS (an abbreviation for sockets) is a networking protocol designed to pass TCP traffic through a proxy server. In other words, if a client wanted to visit www.google.com using SOCKS, the client would send its request to a SOCKS server instead of to Google directly. The SOCKS server forwards that request to Google and returns the response to the client. However, to Google it looks as though the request came from the SOCKS server, not the actual client.
Bot herders love to use the SOCKS proxy to spam. A bot master simply enables the SOCKS proxy on one of his bots, then redirects his SOCKS-compatible, mass emailing program to the IP address of that bot. This causes the email program to send email using that bot as a relay. If an anti-spam program blacklists the bot’s IP address, the herder activates the SOCKS proxy on another bot, and his spam seems to originate from a new, clean IP address.
Furthermore, the bot herder can use a SOCKS proxy to anonymize just about any network traffic. And in Rxbot, for instance, activating the SOCKS proxy is simple: one six-letter command initiates all those anonymizing benefits.
Bots also help herders launch Man-in-the-Middle (MitM) attacks. Most bots come with commands that allow their creators to redirect network traffic any way they like. For instance, a bot herder could tell a bot to redirect all its web traffic to his computer. Then, every time the unwitting victim (whose machine is hosting that bot) browses the Web, the attacker sees the traffic before forwarding it to its intended destination. This is one way bot masters capture sensitive information or steal login credentials.
Rxbot comes with the .redirect command. Herders can use this command to forward the network traffic destined for any TCP port, to any IP address they choose. Phatbot comes with additional redirect commands that allow it to forward GRE traffic, the special protocol used in establishing PPTP VPN connections. These examples merely hint at what a bot herder can accomplish with redirects.
Nowadays, the lure of illegal easy money motivates most bot herders. Our video shows how crooks can force their bots to click on revenue-generating Google ad words. As another example, Rxbot has a simple-yet-effective .visit command. If you send your bots this command, followed by a URL, they silently visit that URL. Here, silently is a technical term meaning the bot victim will not see her computer visit the URL. The visit happens in the background, without any web browser involvement. So, imagine you have 100,000 bots. With one command you could easily force all those bots to visit an online poll, vote, or game. If you wanted ToneDeaf UglyDork to win American Idol, you could command all your bots to visit the American Idol voting page and submit a vote. Since every vote would come from a different IP address, the results would look legitimate. And if the flaws in American e-voting aren’t fixed before 2008, bots just might elect ToneDeaf UglyDork as President, too.
Many IRC bots today have Instant Messenger (IM) and Peer-to-Peer (P2P) components in their attack arsenal. For instance, some bots allow you to send spam to IM channels (nicknamed SPIM ). Attackers commonly send malicious files or URLs to IM users, hoping to infect them with malware. Some bots incorporate commands that allow the bot herder to send these types of IM messages to his bots’ IM buddies. If those buddies then visit the URL or execute an attached file, they get infected with the herder’s bot and become minions in his botnet.
Some bots offer similar commands that help them spread via P2P applications. For instance, Agobot spreads by placing copies of itself in the share directories used by many popular P2P programs such as Kazaa and Limewire. The bot gives its file an enticing name, such as the title of a movie still in theaters. When someone downloads and runs this malicious trojan, their computer becomes another zombie.
In the video, we mentioned that many bots come with packet sniffers. Packet sniffers allow a bot master to see all of the network traffic that passes by his bots, and sometimes all the traffic that passes within the bot victim’s network as well. Attackers can learn a lot by sniffing a network. For instance, a bot herder might capture cleartext logins or see web cookies. They could even passively enumerate your infected network.
Agobot comes with some very advanced packet sniffing capabilities. Rather than sniffing and reporting every single packet, which creates volumes of junk for the herder to parse, Agobot allows a herder to sniff for specific strings or types of traffic. For example, you can command Agobot to capture all the web cookies it sees passing over a network. You can also specifically tell it to only sniff FTP, or IRC logins. In short, if something passes over a network in clear text, Agobot’s sniffing can pinpoint it.
In our video and this article, we’ve listed the most common “Swiss Army blades” used in bots today. Since botnets are evolving fast, bots could have all-new blades tomorrow. For now, you can protect yourself best by understanding the threat — and following the defense measures we outline in “Malware Analysis: Botnets, Part 3.” Look for it on our Video Tutorials page beginning 17 October, 2007. #
Written by bardissi on October 10th, 2007 with no comments.
Read more articles on Spyware & Malware and Computer Security and Watchguard and Student Computing and Home Computer Support and Network Infrastructure and Business Computer Support.
 |  |  |  |  |  |  |
 |  |  |  |  |  |  |
Stay current with MS Windows Vista Compatible Software on these personalized pages:
