BMS Blog: SBS Consulting in the UK

Looks like this is doing the rounds again but this time targeting those running Microsoft Word. If your customers download and install the “update” they’re basically installing Troj/Kango-D.

From the Sophos website:

The greeting is personalized (Dear: <firstname> <lastname>), mentions you are subscribed to the ?Microsoft Windows Update mailing list?, and asks you to download the patch from:

?http://windowsupdate.microsoft.com/outlook/update-0-day/download.aspx?id=63852?

Once the above link is clicked, a request is not made to ?microsoft.com? but instead to one of many compromised sites hosting a Trojan, proactively detected by Sophos as Mal/Behav-112.

An interesting feature of this campaign is the target?s full name, and in most cases the organization they are associated with, is mentioned within the message. The samples we have received also lists a bogus Microsoft Windows Licence key, all in an attempt to make the message look legitimate to the recipient.

REGISTERED TO : <Firstname> <Lastname> , - <Organization>
Licence KEY : <key>

Sample Screenshot:

To be on the safe side we’ve blasted out an email to our customers making them aware of it.

Spotted this on the Sophos security blog:

Finding vulnerabilities for popular products is one of the best ways for a previously unknown application security company or a hacking group to get themselves known in the industry. The more popular the product, the bigger the potential reward for the group that discovered the first vulnerability.

It is therefore no surprise that iPhone, running a scaled down version of Mac OS X, became one of the primary targets of security researchers as soon as it hit the shops in the US on 28th of June.

Today, a company called Independent Security Evaluators disclosed preliminary details of an iPhone vulnerability which will be fully disclosed at the Black Hat conference in Vegas next week.

Although the full details of the vulnerability and the exploit are not published the concept seems plausible. It seems that the group has managed to find a vulnerability in MobileSafari, the web browser used by iPhone. Since websites are one of the most common sources of malware it is not surprising that the iPhone attack is making use of the web.

As with other browser attacks the user has to visit a malicious web page using a vulnerable browser. Once the malicious page is visited the code on the page exploits a vulnerability and starts a piece of executable code (shellcode) in the background.

The theory is that once the shellcode is running in iPhone?s memory, the phone is compromised and the attacker can access all the details available to the user. iPhone, like many other PDA-type devices has a simplified single-user security model with all processes having unrestricted access rights. This unfortunately means that any exploited process will also have full access to the user data and the functionality of the iPhone. Unfortunately, Apple has closed iPhone for third party applications, which means that they will have to release a patch as soon as possible since they will not be able to rely on other security vendors for protection.

One thing that bothers me with this disclosure is its timing. Although ISE claim that they have notified Apple about this problem they have chosen to disclose the details before allowing Apple enough time to release a patch. This seems rather irresponsible from a group that considers themselves serious security researchers. Next week when ISE will be releasing the full details of the vulnerability I will also be at the Black Hat conference and I hope to be able to find out more and discuss their somewhat questionable disclosure policy.

Vanja, SophosLabs UK

I’ve just read this article over at Redmondmag.com. This really brings home the responsibility we have as an outsourced IT consultancy when it comes to protecting our clients’ data and ensuring ethical practices are adhered to.

We admit it, we love ISA server at BMS. Ever since we found out how easy it makes it to publish Terminal and Web Servers we have nothing but admiration for it. The flexibility and monitoring capabilities make it our firewall of choice. If you set it up using the Internet setup wizard in SBS it’s secure, stable and causes very few problems. We normally export the config at this point in case we make some silly mistakes, can’t work out what we’ve done and need to roll it back.

It seems not everyone is as in love with ISA. We recently took on 3 support contracts from different sources, and although each has SBS Premium, not one of them had installed ISA. I’ve also heard Microsoft partners say they don’t install it and prefer to rely on a hardware firewall. The problem is these people have yet to be seduced by the slinky ISA Server and all she has to offer.

I urge anyone who’s ever turned off ISA in favour of a hardware (or software) firewall to take a closer look. Install SBS in a test environment, or use a virtual machine and start poking around a little - she won’t mind, ISA can be a very forgiving mistress. Take a peek at the Tasks tab and see how easy it is to get started. If you’re not sure or have lost your way click through to the help pages - you’ll be amazed at how much useful info. they contain.

Like any relationship there will be ups and downs, questions that go unanswered and annoying foibles that start to irritate after a while. Don’t panic, help is at hand in the very capable form of Dr. Thomas W. Shinder who can be found over at ISAServer.org. The good doctor along with others besotted by ISA’s charms are there to help you when your relationship is on the rocks. These guys really know their stuff. Take a look at some of the articles and you’ll soon discover their obsession is total.

A word of warning: Getting involved with Mistress ISA is not a “no strings attached” relationship. I guarantee you will want more and more - addiction is a dangerous thing but it brings with it some tremendous rewards.

We have an unusual problem with Sophos at the moment. The workstations stopped updating, or to be more precise they tried to update but failed. On further investigation it was suggested by Sophos that we re-install the Control Centre on the server which we did. Now the Control Centre fails to go through the second phase of the install on the server.

The problem was first escalated to 2nd line support and has now been escalated to the development team. Luckily this is on our server rather than one of our clients, but we have now been without mail gateway protection for over 2 weeks. Obviously we have put in place temporary measures to protect ourselves but in this day and age it seems unacceptable to me we are in this position.

We have always championed Sophos as our AV vendor of choice as they usually provide excellent backup & support as well as having a decent reseller package. This episode may make me look further afield though.