December 27, 2007 - Current Activity

Storm Worm Activity Increases During Holiday Season

US-CERT is aware of an increase in Storm Worm related activity. The latest activity is centered around messages related to the New Year. This Trojan is spread via an unsolicited email message that contains a link to a malicious web site. When the malicious link is followed, the Trojan may attempt to exploit an unpatched vulnerability or continue to rely on social engineering to download and install the file on the user's system.

Subject lines can change at any time, but the following are currently being used:

• A fresh new year
• A fresh new year...
• As you embrace another new year
• Blasting new year
• Happy 2008 To You!
• Happy 2008!
• Happy New Year To (emailhere)
• Happy New Year To You!
• Happy New Year!
• It's the new Year
• Joyous new year
• Lots of greetings on new year
• Message for new year
• New Hope and New Beginnings...
• New Year Ecard
• New Year Postcard
• New Year wishes for you
• Opportunities for the new year
• Wishes for the new year
• Christmas Email
• Cold Winter Nights
• Feel the Holiday Spirit
• Find Some Christmas Tail
• Ho Ho Ho.s
• How.s It Goin
• I love this Carol!
• Jingle Bells, Jingle Bells
• Looking for something hot this Christmas
• Merry Christmas From your Secret Santa
• Merry Christmas To All
• Mrs. Clause
• Mrs. Clause Is Out Tonight!
• Santa Said, HO HO HO
• Seasons Greetings
• The Perfect Christmas
• The Twelve Girls of Christmas
• Time for a little Christmas Cheer.
• Warm Up this Christmas
• Your Secret Santa

• happy-2008.exe
• happy2008.exe
• stripshow.exe
• happynewyear2008.exe
  

• hxxp://newyearcards2008.com/
• hxxp://merrychristmasdude.com
• hxxp://ptowl.com
• hxxp://uhavepostcard.com
• hxxp://yxbegan.com
• hxxp://happycards2008.com

• Install anti-virus software, and keep its virus signature files up-to-date.
• Block executable and unknown file types at the email gateway.
• Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Adobe Flash Player Vulnerabilities

Adobe has released updates described in the Adobe Security bulletin to address multiple vulnerabilities in Flash Player. The impacts of these vulnerabilities include arbitrary code execution, privilege escalation, and cross-site scripting. The Adobe Security bulletin states that all platforms running a vulnerable version of Flash Player are affected.

Note that CVE-2007-4324 was addressed by providing additional functionality to ActionScript, which mitigates this vulnerability. See Adobe kb402956 for more information regarding this specific CVE.

More information regarding the vulnerabilities and remediation information can be found in the following:

• Technical Cyber Security Alert TA07-355A
• Vulnerability Notes Database
• Adobe Security bulletin

Google Orkut Worm

US-CERT is aware of public reports of a worm propagating via Google's social network, Orkut. It has been reported that this worm spreads by sending messages to Orkut users. When a user visits an infected Orkut profile, the user becomes infected by a "scrap" that references a remote, malicious javascript file (virus.js).

US-CERT urges users to take the following preventative measures to mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
  
• Block executable and unknown file types at the email gateway.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks. 

MSRC Releases Update to MS07-069

The Microsoft Security Response Center(MSRC) has released an update to MS07-069 to address an installation error on Windows XP Service Pack 2. After installation, Internet Explorer 6 may stop responding when visiting a web site.

More information regarding this issue can be found in:

• MSRC Blog
• Microsoft Knowledge Base article KB942615

Cisco Releases Security Advisory to Address Vulnerability

Cisco has released Security Advisory cisco-sa-20071219-fwsm to address a vulnerability in the Cisco Firewall Services Module (FWSM). The Advisory states that only FWSM System Software Version 3.2(3) is affected. This vulnerability may lead to a denial-of-service condition.

More information regarding this vulnerability and workaround information can be found in Cisco Security Advisory cisco-sa-20071219-fwsm.

Apple Releases Security Updates to Address Multiple Vulnerabilities

Apple has released Security Update 2007-009 to address multiple vulnerabilities. The impacts of these vulnerabilities include arbitrary code execution, denial of service, information disclosure, cross-site scripting, privilege escalation, and authentication bypass.

More information regarding the vulnerabilities and remediation information can be found in:

• Technical Cyber Security Alert TA07-352A
• Vulnerability Notes Database
• Apple Support Article ID: 307179

HP Info Center Software Public Exploit Code

US-CERT is aware of a vulnerability affecting HP Info Center Software, which allows one-touch access to features on HP laptops. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands or to view or alter the system registry on affected systems.

These reports also refer to publicly available exploit code for this vulnerability.

HP has published an HP Quick Launch Buttons Critical Security Update  to address this issue.  US-CERT encourages users to apply this update to mitigate this risk.