Technique Microsystems Ltd.

Who says you have to be stuck at the computer in order to post to your blog? If you have a mobile phone or PDA with e-mail capability, you can post blog entries to your MSN Space while you're on the road following two simple steps.

1. Create your MSN Space
If you don't yet have your own MSN Space, you can create one by going to http://spaces.msn.com and clicking Create your space. Or if you prefer, you can sign up for your space using your mobile phone. Just use your Web access setting on your phone to go to http://spaces.msn.com, and MSN Spaces will display a text menu that will walk you through the process of creating your space.
Note If for some reason the page doesn't load correctly on your model of cell phone (all cell phones are not created equal!), navigate to http://mobile.spaces.msn.com/ to access the Get your own space option.

2. Set up mobile posting
Posting to your MSN Space is really as easy as sending a message—including text and photos—from your phone to your MSN Space. Once you've set up your space to receive posts by e-mail, the rest is simple. Here are the steps for setting up your MSN Space to receive mobile posts:

1. Sign in to your MSN Space


2. Click the Settings tab.


3. Click the E-mail Publishing tab.


4. Click the Turn on e-mail publishing checkbox.


5. Enter the e-mail address from which you'll be sending your blog posts. You can type up to three different addresses.


6. Enter a secret word that is at least five but not more than 10 characters long (for example, secretwd). This word will be used to create an e-mail address that only you will know.


7. Let MSN Spaces know whether you want to save the received messages as drafts or post them directly to your site.


8. Finally, copy the e-mail address that MSN Spaces gives you and add it to the address book that you use on your mobile phone. Your e-mail address will look something like this:
   1234567890.secretwd@spaces.msn.com (this is used as an example only).


9. Click Save to save your changes. Now you can capture your thoughts and photos and e-mail them directly to your MSN Space—whenever inspiration strikes.

Read the full article from Katherine Murray and Mike Torres.

Good day, Paul Cooke here.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

The Microsoft Malware Protection Center has published volume five of the Microsoft Security Intelligence Report. If you have not taken a look at this report before, I urge you to go download it from http://www.microsoft.com/sir. It provides a thorough view of the current threat landscape and is filled with a number of great data points. In my first scanning of the document, the following items immediately jumped out at me:

·         Microsoft vulnerabilities accounted for 42% of the total vulnerabilities on Windows XP for browser based attacks; however, on Windows Vista-based machines the proportion of vulnerabilities attacked in Microsoft software dropped to just 6% of the total. This highlights our not only our continued security investments in the browser but also that attackers are focusing more and more on the applications that run in the browser.

·         The infection rate for Windows Vista is significantly lower than Windows XP, regardless of service pack levels. In addition, 64-bit versions of XP and Vista have lower infection rates than their 32-bit counterparts.

·         The higher the level of service pack a machine runs, the lower the rate of infection. This is consistent across client and server platforms, across all versions. Clearly, keeping up to date with the latest service pack levels and security patches is beneficial from a security perspective. While we have always thought this to be true, having a data point to prove it is great.

This is just a taste of some of the findings in this latest report. I’ll be scouring this report in detail and come back in the next week or so with a comprehensive look at how Windows Vista has fared from a security perspective since its release!

Posting is provided "AS IS" with no warranties, and confers no rights.

Good day, Paul Cooke here.

I am in Barcelona getting set up for some sessions at TechEd-EMEA in Barcelona. The weather was a bit dicey for parts of yesterday but today is clear and beautiful. I've got two full sessions and a bit part in a third where I will be talking about Windows 7 security features. If you are in Barcelona and have a passion for security, come to one of my sessions or find me on the exhibition hall floor, I would love to chat.

Posting is provided "AS IS" with no warranties, and confers no rights.

My previous blog article was intended to highlight two new features observed in a number of phishing kits that held the aim of making the lives of security analysts more difficult. I want to now focus my attention on another trick that has been used in phishing kits in order to protect the attack against a technique called "dilution." Dilution is a method of providing a certain amount of false credentials, names, account numbers, and other personal information to a phishing website. With this technique, real credentials are diluted in a sea of false data, making the fraudster's job harder.

There are several different kinds of dilution strategies, classified by the type of data provided to the phishing site:

I am sure by now that many have read about Trojan.Gimmiv exploiting the new MSRPC vulnerability. While we have not seen any evidence of Gimmiv replicating by itself, we analyzed a second component, related to Gimmiv, which is able to exploit the vulnerability patched on Wednesday. Interestingly though, Gimmiv exploits a 2006 vulnerability described in MS06-040 along with its MS08-067 exploit. Because of the way that Gimmiv does this, Symantec IPS definitions circa August 2006 will block this attack.

Because the MS08-067 vulnerability can be exploited without triggering the 2006 IPS signature, we strongly recommend that all users run LiveUpdate to get the latest signatures. This will add specific coverage for MS08-067 for Symantec Endpoint Protection (SEP) and SCS customers as well as all NAV/NIS/N360 customers. It is quite likely that this vulnerability will be used by a widespread worm in the near future.

The vulnerability defined by MS08-067 will be detected by the following IPS signatures:

• MSRPC Server Service BO
• MSRPC Server Service BO2
• Bloodhound.Exploit.212

The attack used by Gimmiv will be detected by the following 2006 signatures first, however:

• MSRPC SrvSvc NetApi Buffer Overflow (2)
• MSRPC SrvSvc NetApi Buffer Overflow (1)

Symantec AntiVirus will also detect the files associated with this attack as Trojan.Gimmiv.A.

There's only one thing better than getting a brand-new PC—getting a brand-new PC set up exactly the way you want it. Take the time up front to do some simple customization and you'll get a PC that truly reflects who you are—and that organizes all your information so you can spend more time on the things that matter.

5 tips for customizing your desktop

Tip #1: Change your desktop background
Right-click anywhere on your desktop and select Personalize. Then choose Desktop Background. If the picture you want to use isn't displayed, simply navigate to the correct folder. Alternatively, you can select any picture on your PC or the Internet, right-click, and select Set as Background.

Tip #2: Customize your theme
To choose the theme that you want to use, right-click on the desktop, select Personalize, and then choose Windows Vista or Windows Classic. Want something completely new? No problem. You can download many different themes from the Internet—simply search for Windows Vista themes (and make sure that you're downloading from a site you trust). Then, when you're choosing a theme, select Browse, and navigate to the folder where you've saved the theme.

Tip #3: Check out Sidebar
If you've recently gotten a new PC running Windows Vista, you'll probably notice the icons running down the right side of your desktop. Each of the icons you see is a Gadget, or a mini program that pulls information straight to your desktop. Delete any Gadgets you don't want by clicking the X on the left side of the Gadget. Add more by right-clicking the plus sign at the top. You can choose from Gadgets already included in Windows Vista, or view hundreds of Gadgets available for download by clicking Get more gadgets online.

Tip #4:  Personalize desktop icons
Sometimes it's fun to shake up how desktop icons look, too. Right-click on the desktop, select Personalize, and then click Change Desktop Icons under Tasks on the left-hand side. Then choose the icon you would like to change and click Change Icon. From there, you can view your options. And just like themes, you can download many different icons from the Internet. You can also change the size of your icons by Right-clicking on the desktop and selecting View. Decide whether you want to display icons on the desktop, and then choose between large, medium, and classic (small) icons.

Tip #5: Take advantage of Quick Launch
If there are programs you use regularly, think about putting them on your Quick Launch bar, located right next to the Start icon. To add applications, you can either drag the icon onto your Quick Launch bar, or you can right-click on the icon and select Add to Quick Launch.

Next step: Take the deep dive on personalizing your PC
If you thought customizing your desktop was the only way to stake a claim on your PC, think again. From screensavers and skins to calendars, interacting with your computer has never been easier. Get more tips by reading the full version of this article at Normal 0 false false false EN-US ZH-CN X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:SimSun; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} http://www.microsoft.com/athome/moredone/personalizevista.mspx.

What makes this attack remarkable is that because the Help and Support Center can run script commands in the context of the local user, attackers can utilize inherent ActiveX controls not marked as "Safe for Scripting" to execute a malicious binary that they have already placed on the vulnerable user's computer.

It's worth noting at this point that in order for this attack to be successful the user must be logged in with Administrator privileges. However, since the standard Windows XP setup on stand-alone systems often has Administrator privileges enabled, and most users don't follow best practices to set up a limited user for general use, this attack may be possible on a large number of machines.

The DeepSight Threat Analysis team has also created the following video which demonstrates an attack of this type:

• Know that your bank will never ask you to confirm your details via email. So if it looks like it's coming from your bank and asks you to confirm details, you should not click it. Remember that you can always call your bank directly and ask them about any email you receive. They will know if they've requested that you update your account details.
• Is it addressed to you? It is common for phish messages to begin with salutations such as "Dear Valued Customer" and "Please Confirm" instead of your actual name. If it's not addressed to you, don't click it.
• Rest your mouse pointer on the URL in the body of the email. The real destination of the URL will be displayed. If the URL looks like a different name than the name of the company, don't click it.
• Look for spelling mistakes. If there are spelling mistakes, or the email doesn't look professional, don't click it.
• Get security software that includes anti-phishing and identity protection features. Symantec has products that do just this.
• Don't use links in emails to get to websites. Instead, manually type in the URL destination into the address bar of your Web browser. It may take a little longer, but you will be more effective at protecting your identity.

This is an informational blog for the readers of the Security Response
Blogs, particularly those that prefer to use an RSS client to keep
up-to-date with our articles.

This Thursday morning (Pacific Daylight Time), October
23rd, we will switch over our RSS feed to a new URL. Please be sure to
update your RSS feeds to use the new URL:
http://www.symantec.com/xml/rss/srblogs.jsp

The URL for our main page remains unchanged, please add it to your bookmarks:

http://www.symantec.com/business/security_response/weblog/

We hope you can visit very soon!

Volume XIII of the Symantec Internet Security Threat Report highlighted the fact that the number of vulnerabilities affecting web applications is growing. However, these security issues are not only affecting common legitimate applications, but also malicious code. In fact, a source code analysis of several samples revealed serious vulnerabilities that could, ironically, open security holes in programs designed to compromise other users' security.

The investigation originated while analyzing a phishing kit (that is, a package containing a clone website of a financial institution) including a PHP page that was neither called nor apparently used by the fraudster to accomplish his task. The phishing kit contained the following code:

The code does nothing special except getting a parameter and using its value within an include() function to load another PHP file. However, it could also be used to force the application to load a piece of remote code and then execute it in the context of the server on which the caller application resides. By exploiting this scenario, it may be possible to trigger a vulnerability called "remote code execution" that could allow gaining access to the server.

But, why has this vulnerable code has been included and distributed within several phishing kits? Probably the fraudster hopes that a system administrator will ignore the file because it has a familiar name, even after discovering that a server has been compromised. This would allow the fraudster to maintain access on the server and re-deploy the web pages used for the phishing attack.

On the other hand, it is not uncommon that the person building the kit is not the one who is supposed to use it. So why not consider the hypothesis of a back door intentionally left behind in order to allow the writer access to all the servers compromised by the people using the kit? This could help the malware author save time and effort since a huge amount of systems could be easily conquered without the need of identifying how to compromise them.

The existence of back doors in malicious software is not unusual. Take, for example, the time malware started using IRC as a control channel, when a specimen called SlackBot joined an undocumented channel under the control of the author. This allowed the virus writer to control infected systems at no additional cost.

Recently, a new version of the vulnerable file discussed above has been identified, with some changes in the code:

This time, the script includes a legitimate website when provided with the vulnerable parameter, not the PHP code the caller is willing to execute. Indeed, a new parameter should be used in order to emulate the original behavior: the new piece of code has probably been added in order to hide the vulnerability still keeping the door open.

When someone is asked to present an analysis of a modern threat, the explanation often becomes complicated very quickly. Here I will present a brief analysis of a Trojan that uses the KISS approach-"keep it simple, stupid."

The reason for this article is that upon hearing what I do for a living, people often ask, "why do people write viruses?" After explaining the various dangers of using a computer online, people often follow up with the following question: "I don't bank online, I don't shop online, etc... so why would someone want to attack my computer?" This article is dedicated to anyone who has ever sat beside me on a plane/train/automobile and asked me these questions. ;-)

The Trojan that is shown below will help to explain why a computer is still valuable to an attacker, even if that computer contains no sensitive data. The Trojan presented is a Trojan that does not steal private data (such as banking credentials, etc.); however, it does contribute to one problem of online computer usage that everyone is familiar with-spam.

What is presented here is nothing new or groundbreaking. Anyone up-to-date on security will be familiar with these Trojans. These Trojans have been around for some time now, but what caught my attention was the simplicity of this particular sample and how easy it is to understand it-perfect for a simple explanation of how these types of Trojans operate. (No encryption, no obfuscation, no time delays or crazy features.)

The threat is called Trojan.Spamthru. It is a threat that simply runs silently in the background whenever an infected computer is online, and its goal is to continuously send spam. When Trojan.Spamthru is executed it immediately connects to a control server to receive configuration data. This configuration data is received as plain text and consists of the following variables:

- A generic email template
- A list of first names
- A list of last names
- A list of subjects
- A list of domains
- A list of URLs
- Other data that is not essential to this article

This is the template that was received the first time the Trojan was executed: