A variant of Mydoom Worm has come out and is creating a problem.

On December 2^nd, cyber criminals started to send emails allegedly from Coca Cola, one of the most recognized brands worldwide, with subject “Coca Cola is proud to announce our new Christmas Promotion.” The messages were part of a classic social engineering attack, asking users to open the attached zip file in order to see the details of the new promotion, during the holiday season.

The zip attachment in fact carried a worm designed to compromise the user’s PC.  When the zip attachment was opened, it displayed a harmless picture while  installing a mass-mailing worm and keylogger application in the background.  The worm then connects to Whatismyip.com to get the victim’s IP address and injects itself into multiple running processes.  It launches a background instance of iexplore.exe and uses it to log keystrokes, thereby stealing personal, confidential and financial information without the user’s knowledge.

The worm spreads by copying itself onto removable media (such as USB drives), creating an autorun.inf file, which executes whenever the device is connected to another system.  The worm also sends emails with a copy of itself to email addresses harvested on the compromised computer.  The worm also spreads by copying itself in the shared folders of P2P applications.

How do IronPort’s Virus Outbreak Filters work?

IronPort’s Virus Outbreak Filters are IronPort’s zero-day protection from malware, viruses, trojans and worms.  During a typical virus outbreak, while an exploit is detected, infections run rampant until the AV venders deploy a signature to all the hosts.  During that timeframe, customers can be exposed while they are waiting for that patch.  IronPort recognized this issue early and leveraged the data we have in SenderBase to identify when that exploit occurs and then protect customers well in advance of when the patch is available and deployed.

How long is your anti-virus solution leaving you unprotected?  Click here to see AV response times for the last 20 outbreaks: http://www.ironport.com/toc/

Applied Mitigation Bulletin
—————————
http://tools.cisco.com/security/center/viewAlert.x?alertId=16944

IntelliShield Vulnerability Alert
———————————
http://tools.cisco.com/security/center/viewAlert.x?alertId=16941

PSIRT Hot Page
————–
https://psirt.cisco.com/PSIRThot/MS08-067

Please read below how your Cisco products can help you mitagate the effects of this vulnerability:

http://tools.cisco.com/security/center/viewAlert.x?alertId=16944

Microsoft released one out-of-band security bulletin that contains one vulnerability on October 23, 2008. A summary of this bulletin is on the Microsoft website at http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx. This document highlights the vulnerability that can be effectively identified and/or mitigated using Cisco network devices.

The vulnerability that has a network mitigation is in the following list. Cisco devices provide several countermeasures for the vulnerability that has a network attack vector, which will be discussed in detail later in this document.

• MS08-067

Information about affected and unaffected products is available in the respective Microsoft advisories and the IntelliShield alerts that are referenced in the following table. In addition, multiple Cisco products use Microsoft operating systems as their base operating system. Cisco products that may be affected by the vulnerabilities described in the referenced Microsoft advisories are detailed in the “Associated Products” table in the “Product Sets” section.

Vulnerability Characteristics

One Out-of-Band Microsoft Security Bulletin will be covered in this Applied Mitigation Bulletin. The following vulnerability is summarized in this document:

MS08-067, Vulnerability in Server Service Could Allow Remote Code Execution (958644): This vulnerability has been assigned CVE identifier CVE-2008-4250. This vulnerability can be exploited remotely without authentication for Windows 2000, Windows XP, and Windows Server 2003 systems and with authentication for Windows Vista and Windows Server 2008 and without user interaction. Successful exploitation of the vulnerability for CVE-2008-4250 may allow arbitrary code execution. Repeated attempts to exploit this vulnerability could result in a sustained DoS condition. The attack vector for exploitation of CVE-2008-4250 is through Remote Procedure Call (RPC) packets using TCP port 139 or TCP port 445.

Security User Group Meetings are back!!!

November’s User Group will focus on Cisco’s Web Applications Firewall.  Traditional Firewalls simply pass port 80 & port 443 as allowable traffic for web applications.  Unfortunately, over 2/3rds of today’s new attacks are application-layer attacks.  Attacks, such as cross-site scripting or SQL Injection attacks are aimed at web servers in an effort to steal identities, credit cards, etc.

The Cisco ACE Web Application Firewall combines deep Web application analysis with high-performance Extensible Markup Language (XML) inspection and management to address the full range of these threats. It secures and protects Web applications from common attacks such as identity theft, data theft, application disruption, fraud, and targeted attacks.

The Cisco ACE Web Application Firewall is especially designed to help organizations that store, process, and transmit credit card data comply with the current Payment Card Industry (PCI) Data Security Standard (DSS), requirements. Because of its unique blend of HTML and XML security, the Cisco ACE Web Application Firewall provides a full compliance solution for the PCI DSS sections 6.5 and 6.6, which mandate the implementation of a Web application firewall by June 30, 2008.

Benefits of the Cisco ACE Web Application Firewall include:

• PCI DSS regulation compliance
• Full-proxy security for both traditional HTML-based web applications and modern XML-enabled Web services applications
• Authentication and authorization enforcement to block unauthorized access
• Best-in-industry scalability and throughput for managing XML application traffic
• Positive and negative security enforcement to keep bad traffic patterns out and identify and allow only good traffic through
• Ability to deploy security policies and profiles in monitoring mode to prevent application downtime due to false positives typical in an automated learning environment
• Policy-based provisioning to increase developer productivity and improve deployment flexibility

• November 11th:  San Antonio
• November 12th:  Austin
• November 13th: Dallas
• November 14th:  Houston

Please see the Event Calendar at the top right for addesses in each city.