Windows Remote Desktop Client vulnerability could allow remote code execution

A  vulnerability in Microsoft Remote Desktop ActiveX Control could upon successful exploitation, allow an attacker to execute code and take control of an affected system.

Detailed Description:

Microsoft has released a security update to address a vulnerability in the Remote Desktop ActiveX control (mstscax.dll). The vulnerability was caused by a memory corruption condition that arises when attempting to access a deleted object in memory. Upon successful exploitation, an attacker could be able to execute code and take control of the affected system.

This issue has been fixed by introducing a modification in the way that Remote Desktop Client handles objects in memory. Users are recommended to install the latest update as a protection measure against possible exploit attempts.

 

CVE Reference

CVE-2013-1296

Solution:

Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms13-029)

 

Source: Microsoft Security Bulletin MS13-029

 

Read more »

Tips that helps to prevent virus infection on your computer

The following are some tips on how to prevent a computer from being infected by a computer virus.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer.

  

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software, such as Microsoft Security Essentials, that is updated with the latest signature files. For more information, see 'Consumer security software providers'.

Limit user privileges on the computer

Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.

Use caution when opening attachments and accepting file transfers

Exercise caution with email and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.

Use caution when clicking on links to web pages

Exercise caution with links to web pages that you receive from unknown sources, especially if the links are to a webpage that you are not familiar with, unsure of the destination of, or suspicious of. Malicious software may be installed in your computer simply by visiting a webpage with harmful content.

Avoid downloading pirated software

Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, see 'The risks of obtaining and using pirated software'.

Protect yourself from social engineering attacks

While attackers may attempt to exploit vulnerabilities in hardware or software to compromise a computer, they also attempt to exploit vulnerabilities in human behavior to do the same. When an attacker attempts to take advantage of human behavior to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted computer.

Use strong passwords

Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least eight characters and combines letters, numbers, and symbols.

Stay Safe……..

Read more »

Beware a New Virus steals bank passwords and account details

 

A new virus has been found to be "spreading widely" in the Indian cyberspace which cleverly steals bank account details and passwords of the user once it is clicked.

Country's cyber security sleuths have alerted Internet users in the country about the new and suspected variant of malware family called 'Win32/Ramnit'.

"Ramnit worm spreads by infecting or modifying files existing on target systems such as (EXE, dll or html) and creating a new section so as to modify the entry point to that section," an advisory issued by country's premier cyber security agency -- Computer Emergency Response Team-India (CERT-In) -- said.

The malware, the advisory states, "steals credentials like file transfer protocol passwords, bank account logins, infects removable media, changes browser settings and downloads and executes arbitrary files".

The virus is so deadly and potent, cyber sleuths say, that it has ability to hide itself from anti-virus solutions and acquires various aliases to attack a genuine system or Internet-based connection which works to play emails and other user services.

The virus is such lethal in its operations that it "infects the removable media by copying itself to its recycle bin and creates an autorun.inf file," the advisory said.
Once the system is infected, the malware injects its code into windows executables, html files or dlls to communicate with its command and control server, thereby compromising the security of the online system.

Win32/Remnit: Win32/Ramnit is a family of multi-component malware that spreads to removable drives, steals sensitive information such as saved banking and FTPcredentials and browser cookies. The malware may also open a backdoor to await instructions from a remote attacker.

Win32/Ramnit may make lasting changes to your computer that make it difficult for you to download, install, run, or update your virus protection. For specific recovery information, please see the Additional recovery instructions below.

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. Microsoft   offers the following products to detect and remove this threat:

·       Microsoft Security Essentials or, for Windows 8, Windows Defender

·       Microsoft Safety Scanner

·       Microsoft Windows Malicious Software Removal Tool

Symptoms

System changes

The following system changes may indicate the presence of this malware:

·       Your antimalware or security product may not work correctly, or may not work at all

·       The presence of the following files:
  
"%TEMP%\wdexplore.exe"
"%TEMP%\svchost.exe
 

·       The presence of the following registry modifications:
  
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe, <malware folder path and file name>", for example "%ProgramFiles%\Microsoft\watermark.exe"  

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"

In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "AntiVirusOverride"
With data: "1"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Sets value: "Start"
With data: "4"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
Sets value: "Start"
With data: "4"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Sets value: "Start"
With data: "4"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "EnableFirewall"
With data: "0"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc
Sets value: "Start"
With data: "4"

Recovery

Win32/Ramnit may make lasting changes to your computer that make it difficult for you to download, install, run, or update your virus protection. For specific recovery information, please see Using Windows Defender Offline below.

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

·       Microsoft Security Essentials  or, for Windows 8, Windows Defender

·       Microsoft Safety Scanner

·       Microsoft Windows Malicious Software Removal Tool

If you suspect your computer has been compromised, we recommend using the Windows Defender Offline to detect and remove this threat.

Using Windows Defender Offline

The way Windows Defender Offline works, is by allowing you to:

·       Download a copy of the tool from a computer that has access to the internet

·       Save a copy of the recovery tool to a removable drive, in order to create bootable media

·       Run the recovery tool on a compromised computer

You might want to use Windows Defender Offline when:

·       You need to scan your computer to check for rootkits and other malware

·       You are infected with malware that prevents you from downloading and installing an antivirus or the latest updates for your antivirus software

·       Your antivirus does not detect or remove advanced malware, such as a rootkit

Note: Windows Defender Offline is not a replacement for a full antivirus solution providing ongoing protection; it is meant to be used in situations where you cannot start or otherwise effectively scan your infected computer due to a virus or other malware actively running on the computer and impeding the effective action of antimalware software. For no-cost, real-time protection that helps guard your home or small business computers against viruses, spyware, and other malicious software, download Microsoft Security Essentials.

1.   Determine if you require the 32-bit or 64-bit download.
See the Microsoft Help and Support article for instructions on how to determine whether a computer is running a 32-bit version or 64-bitarchitecture of the Windows operating system.

2.   Using a computer that can connect to the internet, download the version of the Windows Defender Offline that applies to the affected computer.
If the affected computer is a: 
- 32-bit computer, then download the 32-bit version here. 
- 64-bit computer, then download the 64-bit version here.
Note: In order for the recovery tool to be effective, make sure you download the version that matches the architecture of the affected computer. For example, if your 64-bit desktop is affected, you will need to download the 64-bit version of the Windows Defender Offline and save it to a removable drive.

3.   Save the downloaded file to a local drive on your computer.

4.   Launch the downloaded file, and create a bootable device by following the instructions on the wizard.
Note: We recommend creating a bootable USB or CD; if you create a bootable USB, this can be updated for future use.

5.   From the affected computer, boot from the USB or CD you created in step 4.
Note: You may need to set the boot order in the BIOS to do this. This will be device specific, so if you are unsure, refer to your system manual or manufacturer.

6.   Follow the prompts to run a full system scan.
Depending on the outcome of the scan, your next steps will vary. Follow the prompts from Windows Defender Offline to manage any threat detections.

Steps you can take once your computer has been cleaned

·       Install security software, such as Microsoft Security Essentials, or any number of other products that provide a complete, real-time antivirus solution.

·       Keep your antivirus up to date by making sure you have the latest definitions.

 

Stay Safe……..

Read more »

Security Vulnerability in Firefox 16

·         An update to Firefox for Windows, Mac and Linux was released at 12pm PT on Oct 11. Users will be automatically updated and new downloads via http://www.mozilla.org/firefox/new/ will receive the updated version (16.0.1).

·         A fix for the Android version of Firefox was released at 9pm PT on Oct 10.

Issue: Mozilla is aware of a security vulnerability in the current release version of Firefox (version 16). We are actively working on a fix and plan to ship updates tomorrow. Firefox version 15 is unaffected.

 Impact:The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters.  At this time we have no indication that this vulnerability is currently being exploited in the wild.

Status: Firefox 16 has been temporarily removed from the current installer page and users will automatically be upgraded to the new version as soon as it becomes available.  As a precaution, users can downgrade to version 15.0.1 by following these instructions [http://www.mozilla.org/firefox/new/].  Alternatively, users can wait until our patches are issued and automatically applied to address 

Michael Coates

Director of Security Assurance

Read more »

Alert!! Worm Spreading through Skype and Messenger

Since Saturday, there's a worm actively spreading through (mainly) Skype as well as Messenger (Windows Messenger, Microsoft MSN Messenger).

 
Someone who's infected with this worm will send you the following message:

Message in German asking to check your cool pictures

The link refers to goo.gl and is actually Google's URL Shortener service. You'll land on Hotfile.com, which is a legitimate file sharing website. (it's not the first time Hotfile has been used to spread malware, read more here. The file has already been removed by Hotfile.)

Links refers to Hotfile and will immediately download a ZIP file.

Positive thing is that it is a ZIP file and not an EXE. This means the user still has to manually unpack and run the malware. Inside our ZIP file we'll find the following file, which is covered as a Skype setup file:

Looks like the real deal. But it's not.

When executing this file, another file (a random 4 character EXE) will be dropped to the %appdata% folder of the currently logged on user:

The icon suggests it's uTorrent. But it's not.

This file will try to connect to api.wipmania.com, waiting for instructions. Additionally, it tries to connect to the following IP addresses:
74.208.112.178 - IPVoid Result
87.106.98.157 - IPVoid Result
199.15.234.7 - IPVoid Result
213.165.71.142 - IPVoid Result
213.165.71.153 - IPVoid Result
217.160.108.147 - IPVoid Result

Now, how do we know how it spreads and which messages it can display? The file extracted from the ZIP archive -skype_05102012_image.exe looks for the following processes:
msnmsgr.exe
msmsgs.exe
skype.exe
It will then automatically send a message, based on the OS language. It uses the following list to spread:
tas ir jusu jauna profila bildes?
seo do grianghraf prl nua?
ont uusi profiilikuva?
nai aft a fotografa profl sas?
sa kvo profili lusankary aquesta 
s la teva nova foto de perfil?
hey ito sa iyong larawan sa profile?
hey lanh tieu cua ban?
hey ini foto profil?
hei zhni de gn zilio zhopin ma?
ni phaph porfil khxng khun?
hej er det din nye profil billede?
hej je to vasa nova slika profila?
hej je to tvuj nov obr zek profilu?
hei er dette din nye profil bilde?
hey la tua immagine del profilo nuovo?
hej to jest twj nowy obraz profil?
hej jeli ovo vasa nova profil skila?
hey bu yeni profil pic?
hej detta är din nya profilbild?
tung, cka paske lyp ti nket fotografi?
moin , kaum zu glauben was für schöne fotos von dir auf deinem profil
hey is dit je nieuwe profielfoto?
ez az j profil ksta tu foto de perfil nuevo?
hey essa sua foto de perfil? rsrsrsrsrsrsrs
hey c'est votre nouvelle photo de profil?
hoi schoni fotis hesch du uf dim profil ppe n
lol is this your new profile pic?
It will then add the link and subsequently adds your username after the equals '=' sign :
http://goo.gl/QYV5H?img=

Let's take a closer look at the files:
skype_05102012_image.exe
Result: 23/44
MD5: 98f74b530d4ebf6850c4bc193c558a98
Anubis Report
Malwr Report
ThreatExper Report
36A9.exe
Result: 16/44
MD5: 0d4b7f4c1731c91dff56afce0ecf37c5
Anubis Report
Malwr Report
ThreatExpert Report

The malware is commonly identified as Worm.Dorkbot and Worm.Agent or Generic Trojan.

Microsoft provides a description:
Win32/Dorkbot is a family of IRC-based worms that spreads via removable drives, instant messaging programs, and social networks. Variants of Win32/Dorkbot may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may also launch a limited denial of service (DoS) attack.
On my testmachines there was no additional malware downloaded, even after replicating a few times. Several variants of malware can however always be downloaded, whether it's ransomware, rogueware....

Conclusion
Worms spreading through Facebook, Twitter as well as IRC, MSN and Skype is nothing new. Still, it appears to be very successful as human curiosity wins in cases of doubt:
"Do I really have (embarassing) pictures of myself on this website? Better take a look!"
No, no, no! Never click on unknown links, especially when a URL shortener service like goo.gl is used. (others are for example t.co, bit.ly,tinyurl, etc.)

Don't be fooled by known icons or "legit" file descriptions, this can easily be altered.
Even if you clicked the link and you're not suspicious, you should be when a file is downloaded and no pictures are shown, but just an EXE file. 

For checking what is really behind a short URL, you can use:
http://getlinkinfo.com/
http://longurl.org/

For checking whether a file is malicious or not:
https://www.virustotal.com/
http://virusscan.jotti.org/

Source: bartBlaze

Read more »