Security Watch

Hijackers Keep Working 24/7

Plus: Microsoft updates without your knowledge; deactivating Vista; e-mail as private data.

According to Symantec, 24/7 Real Media's ad server network was somewhat compromised by unknown criminals. Symantec stated that the criminals had managed to cause the ad serving network to append each advertisement with a criminally crafted script. The script tested the victim system to determine whether it would be susceptible to a Real Player-based exploit. If it was vulnerable, a variant of Zonebac was installed and executed. (Details in this ComputerWorld article.)

This type of exploit has been a significant concern of ours for a long time. 24/7 delivers ads to some 50 percent of online Americans each month, making it No. 15 out of the top 50 advertisers. The sites it delivers ads to are typically trusted sites -- sites which one would not expect to host malware. Worse, this form of attack is almost completely transparent to both the ad serving network and the ad hosting site. In this case, neither actually hosted the criminally crafted script.

An almost identical hack was done against the Chinese Security Incident Response Team's website a few weeks ago. There, the hack was arp spoofing, causing their Web site to route all traffic back through another compromised server on the same network (in that case, within a hosting facility.) This 24/7 issue may well be the same, depending on where 24/7's systems are being hosted.

It is imperative that anyone who hosts or delivers content from a third-party take appropriate steps to monitor the content they're hosting. Otherwise, you may well be accused -- justifiably -- of delivering malware despite all of the careful precautions you have taken.

You Need This Search
The Register reports that a number of administrators were upset as a result of a new version of Windows Desktop Search being pushed out via Windows Update. Many claimed not to have approved the update and felt it was being installed despite their configurations. Microsoft claims that the only way the update would have automatically been installed were if the system had previously installed Windows Desktop Search and that the Windows System Update Server was configured to automatically approve future updates to installed products.

Seems that nobody is claiming their WSUS was not configured the way Microsoft said it had to be in order for the update to be pushed to systems, so presumably things are working as advertised. The article cites Microsoft as acknowledging that it needs to do more work to ensure customers fully understand the configuration options and what will -- or won't -- be automatically updated as a result.

Vista Deactivated: Is Device Driver Update The Culprit?
Well, not exactly, but yes, such a thing can happen. Here's an article that discusses the problems one individual had as a result of doing several changes, over time, to the hardware in his system. In the end, it appeared that a single change, the changing of a video card, triggered Windows to force a reactivation.

Of course, if the guy had simply read the associated information about activation, he would have realized that it is dependent on a given hardware configuration. A certain number of changes are allowed (such as adding a new drive or changing a video card), but those changes are cumulative and when the system appears significantly altered, Microsoft forces reactivation. That reactivation is actually trivial, assuming you actually do it when you're prompted. This guy seems to have ignored the requests and, as a result, ended up with a system that was deactivated.

Want More Security?

This column was originally published in our weekly Redmond Security Watch newsletter. To subscribe, click here.

E-Mail Addresses and Privacy
WaPo has an interesting blog item that highlights a recent loss/theft of a database from The data contained in it included customers of SunTrust and ADP. The data was said not to contain any sensitive information, but it did include e-mail addresses. Subsequently, customers of SunTrust received targeted phishing attempts via an e-mail which spoofed a SunTrust e-mail address as the sender. So, the author posed the question: Should an e-mail address be considered sensitive information?

The author makes a reasonable point -- namely, that criminals can be more effective if they know you have an existing relationship with the company they are attempting to spoof. That the company had your e-mail address suggests you may expect an e-mail from them. However, given the trivial nature of an e-mail address that it is so easy to change and not necessarily directly related to a single individual, the author may find it difficult to make his point stick.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular