The Microsoft France website was defaced today.  The defacement included a claim that it was done by Turkish hackers.  (See: here.)  This follows another defacement on Apple's online store in May, also claimed by a Turkish hacker.

On Friday, I received a spam in a foreign language I did not understand.  At first, I thought it was Hungarian because I receive plenty of Hungarian spam due to past correspondence with Hungarian reporters.  (Postini's Threat Report, released January 2006, reports that those in publishing or advertising receive the most spam.  Because email addresses are harvested by spammers from those they infiltrate, friends of those who fall victim to such attacks also become the recipients of much spam.)  However, it was not Hungarian.  It was Turkish:

Merhaba taraftar, bagnaz !
DAVET http://almanya2006.net/
Ancak icin simdiki erbap futbot
ayni taze havadis ve hediye her
Iyisini bulamazsin !

With the help of Dr Jan Hruska, Co-founder of Sophos, who provided me this translation:

Welcome fanatical supporter !
Invitation (to visit) http://almanya2006.net/
Only for someone expert (in) football
The same fresh news and a present for her
Plentiful

with an attachment named fifabook.rar, containing fifabook.exe.  Just another World Cup scam, I thought.  Turns out, fifabook.exe is a spyware program and is detected by VirusScan as Backdoor-BAC.gen.b.

So, now Turkish computer users are being targeted for spyware installation.

It is good to note that recently, last August, Turkish officials did arrest the authors of Zotob and Mytob in a partnership of cooperation involving the FBI, Moroccan officials, and Microsoft.  But we need many more of these.

The difference though, Turkish hackers were attacking others before.  Now they've turned on their own people.

Last week, Microsoft announced that it had received a single report for a new 0-day vulnerability involving Excel. A malicious spreadsheet was attached to an e-mail and sent to a targeted victim. Various information is available from Microsoft and an interesting FAQ is also available on the Securiteam blog:
http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx
http://www.microsoft.com/technet/security/advisory/921365.mspx
http://blogs.securiteam.com/?p=451

Today, this threat has been deemed Low-Profiled due to media attention. FrSIRT has also posted an announcement at http://www.frsirt.com/english/advisories/2006/2361.

According to various reports, the original file is named okN.xls. Supposedly when a user opens the file the software unexpectly closes and some binary files are dropped in the Windows System directory as well as the system root directory.

I have studied a sample. It had a 127,488 byte size. On my French system, the file had a long name with semi-graphical ASCII characters possibly of Asian origin. After I renamed the file and opened it on an English Microsoft Excel 2000 version running on a Windows 2000 environment, the expected exploit did not occur. The filename visible on the left and high corner of the window indicated to me that the file was partially loaded, but no spreadsheet was visible. When I attempted to close Excel, I received an application error message saying some memory address could not be read. I made another test on a Windows XP-PRO (French) environment and with Excel 2002. This time an error message appeared and the file could not be loaded.

My colleagues also tested the file in a Japanese environment with the same disappointing results. We suspect that the exploit is more specifically crafted for Excel 2003 running on a specific OS version. It perhaps uses hardcoded return EIP offsets.

Despite these problems, the XLS file and its embedded downloader are detected as downloader-AWV.dr and downloader-AWV.

If you have the feeling that Microsoft could be addressing more critical vulnerabilities, you may be right. Avert Labs has counted the number of vulnerabilities rated Critical and Important over the last 2 1/2 year and plotted them cumulative by year:
The top graph shows that this year Microsoft has already addressed as many critical vulnerabilities as in the whole of 2005. The bottom graph shows that the number of important vulnerabilities has not changed significantly.

Last week we wrote that we may see the start of a vulnerability growth trend fueled by bounty programs and organized crime. While too early to tell, the statistics indicate that Microsoft seems to be addressing an increasing number of critical vulnerabilities.

Another round of Bagles hit the net today. There were two main executables mass-spammed through previously infected systems. Both were classified as W32/Bagle.fb (one was simply a repackaging of the other). This variant used a trick more commonly seen in Bagle variants two years ago, but less since. The virus sends itself in a password protected ZIP archive and the code needed to unlock the ZIP is sent along with the email messages as a .GIF image attachment.

McAfee VirusScan users were protected from the executables within these password protected ZIPs; detected as either W32/Bagle.dldr or New Malware.b (packed versus never-packed). Email messages sent by the virus may also be detected as W32/Bagle!eml.gen by email scanning products.

This variant started to pickup steam just after 8:00am PDT, peaked within a couple of hours, and is on the decline.

Named detection has been released in the latest DAT update.

One of the most important means for malware to be effective is its selection of an infection vector. An infection vector can be defined as the transmission vehicle that malware uses to spread itself. It is quite natural for malware to gain a wider infection-rate if the vector it chooses is a popular means for communication or collaboration among computers or computer users.

History shows that currently the most popular means for collaboration among computer users has been e-mail. This is why the world has seen the most successful malware exploiting email as it spreads. Some of the other popular means of computer supported collaboration are USENET, IRC, P2P, IM. We have seen a consistent uprise of malware targeting these collaborative systems. Dmitry Gryaznov had described this in his excellent paper “Malware in Popular Networks“.

It might not be possible to predict a complete list of all the infection vectors that malware could use. This list is constantly evolving. We have recently seen malware targeting “orkut”, an internet social network service. There has also been recent reports of worm propagation through social networking websites like “MySpace” and “Xanga”.

Mobile phones are no exception, it is early but the mobile technologies like SMS and Bluetooth are already noticing an uprise of malware.

Well! Malware authors do certainly seem to continually find newer ways to reach places where people are.

A Microsoft Word document was mass-spammed today, which exploits MS01-034. While this vulnerability was patched nearly 5 years ago, the DOC file can still deliver its payload if users allow Word to run the malicious macro within. Spammed messages use attachment names such as apple_prices.zip, prices.zip, and sony_prices.zip. The archive contains a file named my_notebook.doc, which contains a list of notebooks for sale:

• Apple MacBook Pro MA463LL/A Notebook PC
• HP Pavilion DV8230US Notebook PC
• Sony VAIO VGN-FS830/W Notebook PC

The DOC also file contains a macro, that drops a downloader trojan, that downloads a parasitic virus that is also a downloader.

The infection trail can be represented like this:

Spammed email message -> ZIP attachment (prices.zip) ->
Malicious DOC file / Macro (my_notebook.doc) -> Dropped EXE file (666inse_1.exe) ->
Downloaded File (zmacro.txt) -> Downloader Files (…)

This is all contributed to the Sality virus author. Sality is a parasitic infector that utilizes DLL injection, and encryption. It also contains a dowloader payload to install Adware, remote access trojans, keyloggers, proxy servers, etc; yet another recent case of a parasitic virus delivering spyware.

Detection for the DOC file and dropped downloader trojan (666inse_1.exe) will be contained in the next DAT release as W97M/Dropexe and Generic Downloader.ab respectively. Existing W32/Sality.t detection (released May 31, 2006) covers the dowloaded Sality virus.

Speaking of old vulnerabilities being targeted by malware, MS03-011 (patched for more than 3 years) is still on the list of top threats being reported by VirusScan Online customers (see Exploit-ByteVerify). Again, this is exploited by the distributors of spyware in the shape of drive-by downloads.

A quick update on recent DOC file mass-spammings. Two new variants of the W97M/Kukudro trojan (briefly referred to as W97M/Dropexe) were mass-spammed today (Kukudro.b and Kukudro.c). CME numbers have been assigned for the .A and .B variants:

W97M/Kukudro.a!CME-745

W97M/Kukudro.b!CME-476

See: http://vil.nai.com/vil/content/v_140053.htm for details.  

Yea!  And maybe, hopefully, none of the identity information was compromised.  (See story.)  What can we learn from this?

First, CA 1386 provides exclusion for data that is encrypted.  That should seem outright obvious to everyone.  ENCRYPT IT!

There is a question whether the employee had permission to have the data at home.  Make sure you have policy to certify this condition.  For instance, if I have permission to work at home, and I have permission to access the data, without further conditions, this presumes I have permission to have the data at home.  If this is not what you want, make sure everyone knows the situation and the permissions required.

There is the question whether the identity information was compromised.  How can we help to determine such a scenario if it happens to us?  First, make sure that the access to the major database produces an *encrypted* data subset.  (Log the access and review the log often.)  This would promote the consideration that such data on the recipient machine should remain encrypted.  Plus, knowing he has a protected copy, any unencrypted version can be erased when not actively being used.  So, the lifespan of unencrypted copies is shorter.  Second, this forces the user/worker to decrypt the information at the time he needs to work with it, causing a new file to be created with the then-current time/date stamp.  This would help forensics. 

This is not a complete solution, because create/delete/create/delete fills up the hard disk with "unused" sectors that would contain the sensitive information.  But that would happen without this process.  So, at least adopt a process that is useful.  And be reminded that the disk needs to be wiped often.

When's the best time to learn and think about all this?  When someone *else* makes the mistake, of course.  Unless your purpose is to get funding.  But do you want to have to spend that much money and face all that bad publicity?

On Wednesday, the CLUSIF, Club for the Security of Information in France presented its study "Policies of Computer Security & Losses in 2005=E2=80=B3. The study concludes that French companies are increasingly setting up policies and procedures to protect their information system, however, they fall short on approving the budgets necessary to support them.

In a 58 pages document (in French), the association synthesizes testimonies of representative of 400 companies with more than 200 employees from all business sectors. Results show that in 2005 56% of French companies have a defined policy for information system security compared against only 41% two years ago when the previous study was conducted.

CLUSIF notes that only 38% of the companies envisage increasing budgetary resources to the security of information system, 46% announce that they will keep it constant, 4% will reduce it and that 12% have not made a decision.  The study notes that upper management seems difficult to convince. They are not yet completely reassured by the correct use of the budgets that they have already accepted and approved for their company's security.

In addition, the study demonstrates a "strong will of control" on behalf of the people in charge of the information system security (RSSI). Most prefer to block the use of new technologies rather than to seek a solution for its secure deployment. Thus 76% of them prohibit webmail access, 73% refuse VoIP use, 56% prohibit Wi-Fi and 43% prohibit PDA and smartphones.

Regarding recorded losses, only 36% spoke about viruses and 2% about intrusions on the system. The major part, 56%, comes from design errors or software deployment, 47% are loss of essential services like electricity and telecommunications, 46% are errors of use.

Losses due to fortuitous causes remain most numerous. However malevolence and negligence are nevertheless present. At first, they appear weak numerically, but when we look at them cumulatively and then extrapolate on French companies as a whole, the number of announced incidents seems significant:

• Design errors in software deployment : 58%
• Loss of essential services : 47%
• Errors of use : 46%
• Theft : 44%
• Internal breakdowns : 37%
• Virus infections : 36%
• Natural disasters : 8%
• Physical accident : 6%
• Data disclosure : 4%
• Targeted attacks : 4%
• Malicious acts : 3%
• Sabotage : 3%
• Intrusion : 2%
• Fraud : 2%

Every XX days (I'm sure if I actually told you the exact number, I'd be breaking some kind of rule), the system tells me that my password has expired and I have to change it.  I will manage to change it without problems.  But, as I log into the various corporate assets from each of my many machines, or one of my machines stayed online while I changed the password from a different machine, it's a given that within the next few days, our HelpDesk would have to enable my account, because the system has locked me out due to too many accesses with the old password.

There are many components to password policies.  Most people probably do not have this same problem.  But just the same, most people hate their own password policy just as much as I do!

As I understand it, most objections revolve around the myriad standards to create a password that passes the "strong password" test.  They include a length requirement, a mix to include lower and upper-case letters, numbers, and/or punctuation, and the need to change it every so often, without being allowed to write it down.  So, new passwords need to be invented that must be complex yet easy to remember.

Well, I can help you with that.  It's called pattern passwords.

How to Create Easy-to-Remember Strong Passwords Using Patterns

What would you say about a password such as

7ujmnbg%TGB

Easy to remember, isn't it?  Well, to remind me, I'm going to scribble a "75" on a Post-It and put it on my monitor.

It has 11 characters, has upper and lower-case, even a punctuation mark.  Certainly, it would pass any corporate policy on strong passwords.  (And if not, just adjust it after I finish teaching you the concept.)  And I could never forget this password, because, frankly, you can't forget what you never knew!  ;-)  But "75" reminds me.

Here's the password:

That's the letter "J" starting at the position of "7" (7ujmnbg).  Followed by the letter "I" but using [Shift], starting at the position of "5" (%TGB).  And so "75" reminds me that this month, "my password" uses the character positions of "7" and "5" to instantiate the password.

What is my password?  No, not "7ujmnbg%TGB"!  I told you I don't even know my password.  ;-)  My password is the keyboard pattern for the letters "J" and "I"!

Keyboard pattern passwords.  You can decide to use the pattern for letters, numerics, geometric figures (circle, triangle, dash), symbols (plus, equals, star [yhnuhbghj]), and for the cultured linguists, symbols and characters from other languages, like parts of Chinese characters, Russian, Greek, Arab, Hebrew alphabets…  Pick anything that you can identify with (not something that can identify you!), or is easy to type, or easy to remember, or all of the above.  And pick two patterns or a long pattern, to give you enough characters to satisfy your corporate password policy.  And remember to include use of the Shift-key at appropriate points or the pattern will be too easy for others to notice and crack.  This is very important.  The use of the Shift at strategic locations within your pattern is what distinguishes your password from others, and makes it difficult for a new version of password crackers that could be programmed to look for pattern passwords.

Now that you know what pattern passwords are, let's discuss how to use them to satisfy the different aspects of your corporate password policy.

Length.  Design your pattern so it has enough characters to fulfill the password length requirement.  If the first pattern you like is short, add a second pattern, or even a third.  Or append a numeric sequence.  It simply becomes an additional pattern that you add.  Only perhaps the additional characters are chosen to not change.

Upper and lower case, numbers, punctuation.  Judiciously choose where and when to apply the [Shift] key to create the special characters.

Changing the password from month to month.  Move your pattern around the keyboard.  This month, my password location is "75".  Next month, it will be "64".  The following month, it is "53".  And so on.  After I finish with "31", the following month, it can be "08".  Or by then, I could decide to employ a different pattern.  And if I should forget what it is this month, there will only be a select few to try, with a very high likelihood that the first couple I try will be successful.

Multiple passwords for multiple accounts.  Let's say I need to create a new Yahoo email address.  I choose the account name of "Jimmy46".  The password I would use with this account would be my "46" pattern password.  (Notice it's not exactly the same as I was using before.  But all the same, "J" will be at "4" and the "shifted-I" will be at "6".)

I urge you to play around with this.  Have some fun.  Get comfortable with it.  Also, when you decide on a pattern you like, try out your new password at:

http://www.microsoft.com/athome/security/privacy/password_checker.mspx

This page will give you a scoring on your password and tell you if it is "strong" enough.

Oh, and the next time they try to enforce the password policy, respond "can I use dollar sign, hash, seventeen?"  "Too short," they'll say.  So you walk away… with a smirk… You know you can easily fulfill the policy now, but you still hate password policies.

PS.  No, 7ujmnbg%TGB is not really my password.  Besides, I have to change it every month.  (Oops)