Monday, March 3, 2008

Daily Report

• According to the Providence Journal, the director of the Rhode Island Nuclear Science Center, which runs a nuclear reactor at the University of Rhode Island’s Bay Campus, said the Government Accountability Office’s (GAO) report on the threat of terrorist attacks to research reactors “is not realistic.” The report accused the U.S. Nuclear Regulatory Commission (NRC) of underestimating the potential for terrorist attacks at some of the country’s 37 research reactors, 33 of which are on college campuses across the country. (See item 4)

• CNN reports police in Las Vegas, Nevada, are investigating the discovery of what they said is the deadly poison ricin in a hotel room. Authorities were called to an Extended Stay America hotel around 3 p.m. PT Thursday after a man brought a bag with a small container to the manager’s office. The man said he found it while retrieving items from a hotel room. (See item 26)

Information Technology

22. February 29, Register – (International) Symantec and Trend grapple with buffer overflow bugs. Security products from both Trend Micro and Symantec -- two of the big three anti-virus players -- have become the subject of serious security vulnerabilities. Errors in Symantec’s Decomposer engine create a denial of service or system compromise risk for several enterprise security products (such as Mail Security for Microsoft Exchange and AntiVirus for Network Attached Storage). Vulnerabilities triggered when processing malformed RAR archive files might be used to inject malware onto vulnerable systems (in the most serious case) or crash servers. Security researchers at iDefense discovered the flaws. Symantec published an advisory on Tuesday explaining how systems administrators can update their software. Decomposer components decompress or unpack files. The components have been something of a weak spot in Symantec products of late. As well as being the root cause of the latest security bugs, troubles in updating Decomposer files were behind an error-generating bug that caused all sorts of grief for corporate systems administrators earlier this month. Separately, independent security researchers have discovered buffer overflow bugs in OfficeScan and Policy Server software packages from Trend Micro. Systems administrators are advised to restrict network access to the services pending the availability of patches.

23. February 29, – (International) Hackers use common packing methods to infect users. BitDefender Lab’s latest malware list highlights common packing methods used by hackers. A variety of threats, rather than a specific virus, features in the BitDefender Top 10 Malware List for February 2008. When grouped together by BitDefender virus detection engines, it was noted that all the threats used the same packing method. “Virus writers use packers to decrease the size of the virus and to increase the cost of analysis -- unpacking something packed in an as-yet unknown manner takes a lot of time and skill,” said the head of BitDefender AV Research. The Peed/Storm Trojan accounted for 16.88 percent of total detections, a strong resurgence given its absence from the January Top 10 Malware List. The “popularity” of the Windows WMF vulnerability decreased as viruses using its signature accounted for 5.33 percent of total detections. Lower on the list are a host of much older mass mailer viruses, on their way to irrelevancy, said BitDefender. These viruses account for approximately 6 percent of total detections -- more than half of which are a result of Netsky.P. “By this point, I think it is safe to say that Netsky.P is the most widespread mass mailer virus of all time,” said BitDefender.

24. February 28, Channel Register – (International) Malware removes rival rootkits. Miscreants have created a strain of malware capable of removing rootkits from compromised PCs, only to install almost undetectable backdoor code of its own. The Pandex Trojan stops previously installed rootkits from working by removing their hooks into system calls. Pandex then installs its own rootkit component, detected by Trend Micro as Pushu-AC. Rootkits are a type of malware that hide their presence on infected PCs, making them more dangerous than typical viruses. By operating below the level of traditional malware scanning tools, rootkits are able to carry out covert functions, for example keystroke-logging, without detection. Virus writers have competed for control of vulnerable PCs several times in the past. For example, in 2005 separate groups of hackers released a barrage of worms in a battle to seize control of Windows PCs vulnerable to the then infamous Windows Plug-and-Play (PnP) vulnerability. The Bozori worm was programmed to remove infections by earlier versions of the Zotob worm and other malware, so it could take control of a compromised computer for itself. A family of IRC bots that exploit the same Microsoft Plug and Play vulnerability likewise tried to remove competing PnP bots. More recently, a turf war erupted between the creators of the Storm worm and rival gangs. The Pandex Trojan updates this dishonorable tradition with code that replaces stealthier malware infections.

Communications Sector

25. February 29, – (National) Got Cisco? Are you sure? The Federal Bureau of Investigation reported today more than 400 seizures of counterfeit Cisco equipment and labels worth more than $76 million filtering into the United States from China. The effort, which has been ongoing since 2005, is being driven by DHS and FBI. Immigration and Customs Enforcement, and the Customs and Border Protection conducted 28 investigations and managed six indictments and four felony convictions, with more than 74,000 fakes seized, while the FBI’s portion of the initiative, dubbed Operation Cisco Raider, resulted in 36 search warrants with approximately 3,500 counterfeit network components identified, and a total of ten convictions. The government is among the most profitable markets for Cisco. That makes federal agencies as susceptible as any to getting duped. In 2004, for example, counterfeit Cisco switches landed in one of the Navy’s secure facilities. One contractor involved was recently found liable, and now the circumstances are being investigated by the Navy’s Acquisition Integrity Office.