As we have been predicting (and following during 2008), the criminal’s mind is very much attuned to public mind. The current issues that everyone (well, at least a lot of us) has been dealing with are the current economical situation, and what president Obama is going to do about it. Without fail, eCriminals have been worried about the same issues, and in their latest “marketing” efforts have made sure that relevant internet sites will cater for themselves as well. Reports by Websense and Sophos show how both the official Barack Obama website, and a couple of popular job sites have been compromised in an attempt to capitalize on the volume of traffic that has been hitting these sites.

As usual, no much surprise here (read more details about the “almanac” of web security here), still, be careful out there – even on sites which you supposedly trust. Common sense usually trumps the irresistible urge to click and approve everything shown to you when trying to get to some content.

It was bound to happen. It didn’t work in Third World countries, attempts to do it in Western civilization failed one by one, and now it is proven again that you can’t really prohibit people by law from viewing certain content on the internet. What I’m talking about is this: The Supreme Court rejected child anti-porn law that was going on for more than 10 years. Basically, the interesting tidbits from this piece of news is that filtering can only be applied on businesses , where a company has control over what it is allowing people to view, and certain educational facilities (although that is proving to be more difficult as the article suggests). Don’t even think about enforcing service provider mandated filtering!

Another thing to note is how the rules and legislation are facing the harsh reality that technology changes over time, and laws really can’t catch up. Until we’ll see more cooperation happening on the cross-border legislative front (from law enforcement working more closely with each other, to more synchronized legislation across countries), the difficulty of defining jurisdiction and borders over the internet is not going to go away. In a hope that 2009 will make some headway on these issues, since we have seen that 2008 proved to be heaven for eCrime because of these difficulties (see our annual threat report for more info).

It is funny how security works, isn’t it? When you think you got rid of the old-school (aka “stupid”) threats, reality hits you right back. Confiker/Downadup is a simple worm;  it exploits a Microsoft Windows vulnerability, that can only be utilized over a local network as it uses the SMB protocol, and uses an initial infection vector of running an “autorun” on removable media (usually USB drives).

Why is it so annoying? Well, getting to 9 million infected machines (as per external reports) is pretty impressive for such a classic infection vector (considering that there is no communication attack vector at all – no internet needed, no email attachment…). I thought that these infections were mostly in large companies that fail to properly patch their systems. Reality check again; as I’m speaking in a security sales summit, and working with the local hotel Business Center, I hand over my USB stick for them to print a PDF, and get it back with… you guessed it. Confiker.

Funny at first, but sad when you realize the amount of non-technical debugger-less users that plug the thing back in and have autorun immediately infect their system.

Microsoft has released its monthly security bulletin for January 2009 to address critical vulnerabilities in Microsoft Server Message Block (SMB) Protocol. We strongly suggest applying the patches provided by Microsoft for these vulnerabilities.

Microsoft Security Bulletin MS09-001 - Critical
Vulnerabilities in SMB Could Allow Remote Code Execution
This security update resolves two privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerabilities could allow remote code execution on affected systems. An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Note: This vulnerability should not cause a Web filtering concern, since the SMB protocol is used locally for sharing files, printers, serial ports, and communications abstractions such as named pipes and mail slots between computers.

References: Microsoft Security Bulletin Summary for January 2009

Conficker is a new family of computer worms that spread by exploiting a vulnerability in Microsoft Windows which Microsoft patched with an emergency fix in late October.The worm has already infected thousands of computers worldwide.

Win32.Conficker is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.

eSafe has been proactively detecting instances of the Conficker worm ever since its initial distribution, and have also provided specific signatures for it. All eSafe customers who are keeping their products updated are protected to the extent of the worms’s distribution and structure. eSafe continues to research for new instances of threats and, as always, will provide the updates for detecting and blocking such threats in the future.

Update (1/15/09): SANS (http://isc.sans.org/diary.html?storyid=5695&rss) covers the truly problematic part of this worm – how people get infected in the first place (as we said, this is NOT a web security issue). Note that this advice is actually applicable for most organizations anyway since the “autorun” behavior should be avoided in the first place.