Computer Security Response Team - Advisories

BlackWorm

csrt@utulsa.edu (CSRT) — Mon, 30 Jan 2006 10:07:45 -0600

Systems Affected: All Windows Systems

Description: Blackworm was originally released in 2004, but new variants were released in January of 2006. The worm is delivered via an attachment in email, and the subject and the name of the attachment can be nearly anything. This worm is potentially devastating however, because it effectively deletes files with the following extensions:

DOC
XLS
MDB
MDE
PPT
PPS
ZIP
RAR
PDF
PSD
DMP

Any files with the above extension will be overwritten with the text "DATA Error [47 0F 94 93 F4 K5]" in any folder that an infected user has write access to, including on the W:\ drive (My UTULSA Space) and the S:\ drive (SharedSpace).

Continue reading "BlackWorm"

Significant Vulnerability in all Windows Operating Systems

csrt@utulsa.edu (CSRT) — Fri, 6 Jan 2006 15:23:00 -0600

Update 3:03pm 1.6.05:
There are vulnerabilities in the way Windows displays images which could allow someone to take over your system simply by convincing you to view a picture (gif, jpeg, bmp, tiff, wmf, etc.). As of December 31st, McAfee was reporting that 6% of their customer base had been successfully attacked. On January 5th, Microsoft released a patch to fix Windows 2000, XP, and 2003 Server. The CSRT along with local sysadmins recommend the following:

If you are a student, faculty, or staff member working on a Personally Owned computer system:

Please proceed to Microsoft's Windows Update site. Once there, you may be prompted to install a "new version of Windows Update" before you can check for any additional Windows updates. Please make sure you get to a screen where it lists critical updates, and make sure you install all critical updates. Once all critical updates are installed, you will likely be asked to restart your computer. After your computer has restarted, visit Microsoft's Windows Update site again and make sure that there are no additional updates available. If a system is extremely out of date, it may take several visits to Microsoft's Windows Update site, and several reboots, before the system is fully up to date.

If you are a faculty or staff member in the College of Arts and Sciences, your local systems administrators recommend that you:

Please contact Scott Roberts, x2318 for instructions.

If you are a faculty or staff member in the College of Business Administration, your local systems administrators recommend that you:

Please contact Chuck Blankenship, x3156 for instructions.

If you are a member of the faculty or staff in the College of Engineering and Natural Sciences your local systems administrators recommend:

No additional steps need to be taken to ensure the latest patches have been applied to university owned systems that are on campus. If the system is not on campus, or is a personal system, please follow the guidlines listed under "If you are a student, faculty, or staff member working on a personally owned computer system". -- Keith Schoenefeld

If you are a member of the faculty or staff in the College of Law, your local systems administrators recommend:

Computing Resources will update all University owned computers that are located at John Rogers Hall and the Boesche Legal Clinic. For personally owned systems or University owned systems that are located off campus, please follow the guidelines titled "If you are a student, faculty, or staff member working on a personally owned computer system". -- Chris Farwell

If you are a member of the staff in the business units, your local systems administrators recommend:

If your machine is supported by the help desk, then we are making every possible attempt to deploy the microsoft update automatically to your machine. If your machine is not supported by the help desk, please ensure that you have the latest microsoft windows updates on your machine. To update your machine please follow the guidelines titled "If you are a student, faculty, or staff member working on a personally owned computer system" for instructions to update your machine. -- Jona than Kim mitt

Continue reading "Significant Vulnerability in all Windows Operating Systems"

Block for Spyware Proxies

csrt@utulsa.edu (CSRT) — Fri, 7 Oct 2005 13:03:34 -0500

Background
The Computer Security Response Team has detected a significant number of computer systems whose Internet Connection configurations have been altered by a software package generally referred to as marketscore that is widely considered to be spyware. This re-configuration redirects some of the computer's web sessions, including secure (https://) sessions to one of a number of proxy servers.

From MarketScore's privacy policy:
Marketscore (originally called Netsetter) is a service of comScore Networks, Inc. (www.comscore.com) ...
Marketscore monitors all of your Internet behavior, including both the normal web browsing you perform, and also the activity you may have through secure sessions...

We believe that computers with marketscore.com spyware are disclosing confidential and personal information, such as usernames, passwords, credit card numbers, on-line banking information, e-purchases, and the content of transactions with secure campus websites.

In order to protect the confidentiality and privacy of personal information exchanged with our users, we are temporarily blocking all traffic which is destined to known marketscore.com web-proxies.

Impact
On-campus users with marketscore.com spyware may not be able to access any website. Newer versions of Marketscore have become "selective", and only attempt to proxy certain websites, so it is possible that users will be able to access many websites, but be blocked when they attempt to access a few.

If you started experiencing problems accessing websites after 1:00pm Friday October 7th, your computer may be infected with MarketScore.

Off-campus users can also check if their traffic is redirected through one of these proxies by visiting http://www.infosec.csusb.edu/privacy/proxycheck.pl.

Resolution
Users of University owned computers need to contact the IS Helpdesk immediately at x3500, or help@utulsa.edu.

Other users "infected" with this spyware may wish to try the marketscore.com spyware removal procedure offered by Columbia University. Users may also wish to visit the Federal Trade Commission's Facts for Consumers regarding identity theft. The IS Helpdesk is unable to work on non-University computers. If you are unable or unwilling to remove Marketscore from your system, we would recommend that you take your computer along with this information to a local computer repair shop, so they can remove Marketscore from your system.

Additional Resources
The EDUCAUSE Resource Center: Spyware/Adware contains many links to information and free tools regarding Marketscore and spyware in general.

Thanks to CSUSB for much of the text in the above page.

"Compromised" Role - Instant Messenger Worms

csrt@utulsa.edu (CSRT) — Mon, 19 Sep 2005 07:51:25 -0500

Summary:
Over the past week, the Computer Security Response Team and IS Networking Services have worked together to disconnect about 25 computer systems from the residential network. While performing some traffic analysis, we determined that each of these systems were severely compromised. As of this afternoon, these systems will be moved from the "Infectious" role to a newly created "Compromised" role, so it will be more clear to affected students. Unfortunately, these compromised systems have been so infected that it's not possible for any antivirus or spyware tool to clean them completely. One of the programs installed on these systems by the hackers was a "rootkit", which hides the existence of all hacker activity from the person operating the computer.
Continue reading ""Compromised" Role - Instant Messenger Worms"

Ignore TTCU email messages

csrt@utulsa.edu (CSRT) — Wed, 14 Sep 2005 13:54:23 -0500

We are aware of email messages reporting to be coming from Tulsa Teachers Credit Union such as the following:

Dear Customer,

At Tulsa Teachers Credit Union, the highest responsability to our
customer is the safekeeping of confidential information you have
entrusted to us and using it in a responsable manner. A fundamental
element of safeguarding your confidential information is to provide
protection against unauthorized access or use of this information. We
maintain physical, electronic and procedural safeguards that comply with
federal guidelines to guard your nonpublic personal information against
unauthorized access.

At this time we need you to confirm your e-mail address with our
existing database. As soon as our database will be updated we need to
make few important anouncements to our customers so please update your
contact information with no delay.

https://ttcupbih.ttcu.com/jsp/login.jsp

Our database will be instantly updated.

We are committed to the responsable use and protection of customer
information on our website. If you have any questions regarding our
services, please check the website or call our customer service.

Best Regards,
Tulsa Teachers Credit Union Online Department.

<-- end of message -->

These messages are NOT from TTCU. When you click on the link, you will be directed to a server in Korea that will harvest your username and password and use the information to empty your bank account.

Windows 2000 vulnerable to remote attacks.

csrt@utulsa.edu (CSRT) — Mon, 15 Aug 2005 17:32:00 -0500

Systems Affected: Windows 2000

Description: A new vulnerability was announced by Microsoft on Tuesday August 9, 2005 which allows a person on another computer to take over any unpatched Windows 2000 system. On August 14th, 2005 a program was released on the Internet which allows someone to take advantage of this vulnerability in order to take over a remote system. If you are running an unpatched version of Windows 2000, this means that someone may have already taken control of your system.
Continue reading "Windows 2000 vulnerable to remote attacks."