View Full Version : MS Alerts - Q4-2006

2006-11-26, 20:57

- http://isc.sans.org/diary.php?storyid=1888
Last Updated: 2006-11-26 17:04:40 UTC
"Windows MSRT: Progress Made, Trends Observed* is a paper published in early November by the Microsoft Antimalware Team giving "perspective of the malware landscape based on the data collected by the MSRT". The tool, by default, "only looks for malware that are currently running or linked to through an auto-start point, such as in the registry...
Backdoor Trojans... are a significant and tangible threat to Windows users... Out of the 5.7 million computers cleaned, the MSRT has removed a backdoor Trojan from over 3.5 million (62%) of them... Bots, a sub-category of backdoor Trojans... represent a majority of the removals... Rbot, Sdbot, and Gaobot compose three of the top five slots in terms of total number of removals... The increase in Win32/Rbot removals is due to a large number of variants of that malware family being added to the MSRT each release. On average, approximately 2,000 new variants of Win32/Rbot have been added to the tool each month".
Correlations in the paper;
"The largest correlation shown... is between rootkits and backdoor Trojans. In approximately 20% of the cases in which a rootkit was found on a computer, at least one backdoor Trojan was found as well. This emphasizes the trend of a large number of rootkits being distributed or leveraged by backdoor Trojans... The percentages are also high between P2P worms and backdoor Trojans and IM worms and backdoor Trojans. The high values here are also expected given that many P2P worms and IM worms will often drop bots on the computer when they are run."

* http://tinyurl.com/yhwtn2

:fear: :spider:

2006-12-15, 21:43

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=196700135
Dec 15, 2006
"...The update fixes a long-standing security problem in Windows XP SP2, which starts an automatic scan for wireless networks when a laptop boots or powers up from hibernation. Windows' Wi-Fi client goes through a list of previously-used wireless networks, and if it finds one, connects. The convenience, however, is offset by possible "man-in-the-middle" attacks, where criminals monitor hotspot traffic and then dupe others' notebooks into connecting to their PC, which is posing as an access point. Once an attacker has tricked a user into connecting to the rogue hotspot, he can capture all wireless data, including passwords or other confidential information. "This update helps prevent a Windows wireless client from advertising the wireless networks in its preferred networks list," Microsoft said... When asked to explain why the patch was not distributed through Automatic Updates or posted to the Microsoft Update Web site, a company spokesperson did not directly respond, but only pointed out an October security advisory* that described an earlier edition of the fix. Microsoft typically follows up an advisory with an official patch deployed as a security update, but did not do so in this case. The advisory offers no additional explanation..."
* http://www.microsoft.com/technet/security/advisory/917021.mspx
"...Advertising the name of your preferred networks creates the potential for a man-in-the-middle attack. This patch won't stop your Windows notebook from using a spoofed network, but it will fix it so that the hacker would have to guess the name..."
Download: http://support.microsoft.com/kb/917021
Last Review: November 21, 2006
Revision: 3.2
• Microsoft Windows XP Service Pack 2, when used with:
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional...