Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SPAM and Malware taking advantage of H1N1 concerns

Published: 2009-12-02
Last Updated: 2009-12-02 18:06:25 UTC
by Rob VandenBrink (Version: 1)
1 comment(s)

Gary writes in, telling us of a recent spike in SPAM with a title similar to "“State Wide H1N1 Vaccination Program", which pretends to originate from the CDC (Center for Disease Control).  The email goes on to instruct you to "follow this link to create a vaccination profile on the CDC website".

Needless to say, this email is a fake, it redirects you to a site in the Ukraine, and plants malware on your PC.  The URL is "http://online.cdc.gov, followed of course by the real domain name,  six or seven digits of seemingly random characters.

You do not need to register with the CDC to receive a vaccine for the H1N1 strain of influenza

There's also a rise in fake H1N1 sites using other vulnerabilties to compromise your PC, including the recent Adobe issues.

It never ceases to amaze me the depths that these "malware folks" will stoop to. 

If you are following a link in your email - always check to see that it's taking you where you think you are going before you click it.  Copy and paste it through your clipboard, or rekey the link entirely in your browser.  This kind of deception is just so prevalent that clicking links in a received note is simply not safe!

1 comment(s)

Updates to Sysinternals Toolkit

Published: 2009-12-02
Last Updated: 2009-12-02 16:56:54 UTC
by Rob VandenBrink (Version: 1)
0 comment(s)

Roseman tells us of updates to the popular Sysinternals toolkit.  This round includes updates to the utilities: VMMap, Disk2vhd,  Sigcheck,  Autoruns,  PsExec and PsKill.

The Disk2vhd update is the one I find most interesting - they've updated it to fix the kernel and HAL during the migrate, to make migrated VHDs bootable in Virtual PC.  This has been around forever in VMware's P2V and newer versions of the same tool, I'm glad to see this function available on other virtual platforms!

Disk2vhd also allows you to skip sectors with CRC errors, which gives you a shot at recovering failing physical disks by migrating them to virtual - this feature is a really helpful one !

Find more information here ==> http://blogs.technet.com/sysinternals/archive/2009/12/01/updates-vmmap-v2-5-disk2vhd-v1-4-sigcheck-v1-63-autoruns-v9-57-psexec-v1-97-pskill-v1-13-and-a-new-windows-internals-session-video-from-mark-at-pdc-2009.aspx

Keywords:
0 comment(s)

Microsoft Black Screen of Death - Fact of Fiction?

Published: 2009-12-02
Last Updated: 2009-12-02 16:43:47 UTC
by Rob VandenBrink (Version: 1)
1 comment(s)

We've had a lot of interest in the drama unfolding around Prevx's announcment on Nov 27 that they had found a "Black Screen of Death" issue that they had researched - you can find their initial post on this issue here ==>   http://www.prevx.com/blog/140/Black-Screen-woes-could-affect-millions-on-Windows--Vista-and-XP.html
The title of their blog indicates that this could affect "millions of Windows 7, Vista and XP stations".  Prevx's root cause post on dec 1 ( http://www.prevx.com/blog/141/Windows-Black-Screen-Root-Cause.html ) fleshes this out further, indicating that that one of the recent Microsoft patches, either KB915597 and/or KB976098  seemed to modify the ACLs on a registry key that in turn denies local users the right to view their own desktop, which results in the "black screen" symptom.

This is a well known and long-standing symptom -  you can deny users access to their own screen by changing the ACLs on the registry key  HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonShell .  This isn't a problem on it's own, it's part of the overall design of Windows - I can think of a few cases where this might be a useful thing in fact.

Anyway, on to the drama: Microsoft also posted on Dec 1 ( http://blogs.technet.com/msrc/archive/2009/12/01/reports-of-issues-with-november-security-updates.aspx  ) - they had a few important points:

  • They've reviewed all of their recent updates - they simply do not change this ACL
  • They are not receiving millions of calls - this can't be affecteding millions of systems
  • Prevx went straight to press without involving Microsoft


I'd echo Microsoft on this one (on all 3 points actually) - we simply aren't seeing any widespread "black screen" issue.

Prevx has posted a final blog entry today ( http://www.prevx.com/blog/142/Windows-Black-Screen-recap.html ).  They're now agreeing with Microsoft, that the black screen issue that they've seen appears to have some cause unrelated to the Microsoft updates.  I can see how this might be an easy mistake to make, especially if you are researching several issues on one machine or VM image.

The thing I find most interesting in this cyber-opera is the number of  posts that we're seeing on other sites that took the original post as truth without doing any check at all.  I realize people are busy and everything, but a little bit of fact-checking goes a long way ....


So to recap - the "Black Screen of Death" is in fact a real thing, but it's not a recent thing, and you won't be seeing it as a result of applying any of the Microsoft patches to date.  It's still recommended to keep your Windows systems (and any other systems for that matter) as up to date as possible with vendor updates.
 

 

1 comment(s)
Diary Archives