Windows x64 bit operating systems have long been a tier above 32-bit in terms of security but now the x64 bit operating systems are the newest targets for a certain rootkit. Security company Prevx found that the rootkit TDL3, which has been active for several months, got a new update that allows it to infect x64 bit Windows. This is an unprecedented development and marks the first appearance of an in the wild x64 rootkit.

x64 versions of Windows are considered much more secure than their respective 32 bit versions because of some advanced security features which are intended to make it more difficult getting into kernel mode and hooking the Windows’s kernel.

Windows Vista 64 bit and Windows 7 64 don’t allow every driver to get into kernel memory region due to a very strict digital signature check. If the driver has not been digitally signed, Windows won’t allow it to be loaded. This first technique allowed Windows to block every kernel mode rootkit from being loaded, because malwares aren’t usually signed – at least, they shouldn’t be.

The second technique to prevent kernel mode drivers from altering Windows kernel behavior is the Kernel Patch Protection, also known as PatchGuard. This blocks every kernel mode driver from changing sensitive areas of the Windows kernel. Prevx describes how the rootkit gets past both techniques:

To bypass both Kernel Patch Protection and Driver Signature verification, the rootkit is patching the hard drive’s master boot record so that it can intercept Windows startup routines, owns it, and load its driver. Both Windows security mechanisms are bypassed.

The first attempt at breaking the x64 kernel security was the Whistler bootkit but the first in the wild x64 compatible attack is this rootkit. The Prevx community had been seeing infections during the past nine days leading up to 8/26/2010 when the article was written and it is surely still active. The rootkit is spreading via porn websites and exploit kits. Prevx is currently analyzing the rootkit and thinks that TDL3 is under new owners, which are modifying it for x64 compatibility. Right now it seems to be in beta because it doesn’t always work but it will be important to keep an eye on it.

More than ever it is important to be wary of infection not only from the internet but from portable devices. Security company PandaLabs, the research section of Panda Security, claims that 1 in 4 worms spread through USB flash drives and other portable storage devices as reported by Computerworld. That includes cell phones, music players, and cameras; anything with internal storage or memory cards that can be connected to the computer.

These devices make a good vector of infection because malware can easily copy itself to the device; while in the device the worm hides so the owner of the device never knows it’s there. Once plugged into a computer USB devices often auto-run and malware can transfer over nearly invisibly, infecting the computer.

While a quarter of all 2010’s worms rely on USB devices to spread to other PCs, a recent Panda survey of more than 10,000 small- and medium-sized firms found that 27% of those victimized by a malware infection in the last year reported that the attack had originated with infected USB hardware, primarily flash drives.

The nasty Stuxnet worm that plagued industrial companies earlier this summer by exploiting the now-patched shortcut bug stemmed from a USB flash drive harboring malware. It targeted software that managed large-scale industrial control systems. Stuxnet loaded itself onto a PC whenever users viewed the contents of the drive with Windows Explorer or a similar program. Another famous worm that used the USB vector to spread is the Conflicker worm of two years ago.

Controlling and preventing attacks off USB devices is difficult because it would involve having to control everything plugged into the computer. Even the US military is having these sort of problems as seen in the recent news about a 2008 infection that compromised a sensitive military command network.

Earlier this week, U.S Deputy Defense Secretary William Lynn revealed that the U.S. Central Command’s (CENTCOM) network was compromised after an infected USB drive was plugged into one of the network’s PCs. CENTCOM is the military’s joint regional command responsible for the Middle East, including Iraq and Afghanistan.

The best measures to take to secure PCs is to control auto-run and virus-scan USB devices, especially after they have been on an outside network. By default Windows doesn’t auto-run on its own and asks the user what to do. After Conflicker, Microsoft updated Windows to fix a bug that prevented users from disabling auto-run. Windows 7 inherently performs auto-run a bit differently to prevent these sort of attacks. In addition, Panda is offering a free tool that completely disables auto-run called Panda USB Vaccine.

Last week it was announced that 40 different Windows apps contain a bug that could be used to hijack PCs and infect them with malware. Computerworld reports that security researcher HD Moore, chief security officer at Rapid7 and creator of the open-source Metasploit penetration-testing toolkit, has been the one blowing the horn on these vulnerabilities. It was first found about four months ago when Apple patched it in the Windows version of iTunes. The same bug remains in more than three dozen different apps, according to Moore, who wouldn’t reveal the specifics of which programs are affected.

Each program will have to be patched separately by their respective application developers. Moore found the bug when he was researching the Windows shortcut bug that was recently patched on August 2. He says about the vulnerability,

The vector is slightly different between applications, but the end result is an attacker-supplied .dll being loaded after the user opens a ’safe’ file type from a network share [either on the local network or the Internet]. It is possible to force a user to open a file from the share, either through their Web browser or by abusing other applications, for example, Office documents with embedded content.

Moore’s recommendations to avoid the attack is to block outbound SMB, by blocking TCP ports 139 and 445, and disable the WebDAV client in Windows to prevent flaws from being exploited outside the local network. In addition, today Microsoft released a tool to block the attack. The tool changes the registry to control the DLL search path algorithm. The end result is that it blocks the loading of DLLs from remote directories.

Microsoft can’t release a Windows patch for the issue because it lies in individual programs but the application developers and Microsoft will be working together to research the issue and create separate patches.

New Facebook scam could be costing victims $5 a week reports PCWorld, spread by the “Share” feature. The malware is similar to a worm that plagued Facebook in May with a rigged “Like” button that would run a script when it was clicked. What happens is that a Facebook user sees an interesting link and upon clicking it they see a page claiming to need human verification through a 3-step process. On the second step they are asked to click a “Next” button where the scam really starts; as it turns out it isn’t a real “Next” button,

the “Next” button doesn’t actually have any functionality and is just a dummy. But hidden underneath the “Next” button is a functional “Share” button. So while it looks like you are just clicking on “Next” to get to the final step, what you are actually doing is posting that page to your profile wall using the Share function.

Its noted that users running Firefox with the No Script add-on will see it blocking the scam script. After the content is shared on their page by clicking the “Next” button, the user is prompted in the third step to fill out a survey for the scammers. The survey gathers personal information including a cell phone number, then adds “The Awesome Test” along with an extra $5/week to the victim’s cell phone bill without them knowing unless they read the fine print.

Facebook’s response to the scam is to remove all fan pages relating to it. For people that may have been affected, first they should make sure any links posted to their wall have been removed and manually remove any stray ones. Second, if they filled out the survey they should contact their cell phone company to check for extra charges.

As many as five million web sites hosted by Network Solutions have been serving malware, reports ComputerWorld. Wayne Huang, co-founder and CTO of Armorize Technologies, estimates the numbers of infected sites to be between 500,000 and 5 million. The attack could be one of the largest drive-by download infections yet.

Hung’s firm originally tracked the malware to a widget installed by Network Solutions on its GrowSmartBusiness.com site and later found that the widget had been installed on all parked domains. Parked domains are sites that have been registered but lack any content. Malware makers and scammers have used these sites in the past to serve malware or artificially boost search rankings.

The widget turned every infected domain into a drive-by attack site that launched the multi-exploit “Nuke” toolkit against users running Internet Explorer, Firefox, Chrome and Opera. If the kit successfully hacked the browser, a Trojan downloader hit the Windows PC, searches were redirected and pop-up advertisements appeared.

The Trojan downloader that was identified by anti-virus programs turned out to be a variation of the Koobface virus that is more commonly seen on Facebook, along with it was a malicious script that only targeted IPs from Hong Kong and Taiwan. The attack numbers are more likely on the high end of the estimation because search engines were used to estimate how many sites had the widget and they generally don’t like to index parked domains.

In response to the attacks Network Solutions has disabled the widget on all parked domains and took down the GrowSmartBusiness.com site. The attack isn’t entirely cleaned up yet; the malicious script remains and the widget is still on 5,700 active sites that manually installed it. Network Solutions issued a security alert about the widget that tells customers to remove it and scan for malware.

Microsoft warned on Tuesday that a record number of exploits will probably be released in the next 30 days for newly patched vulnerabilities. Reported by Computerworld, of the 35 bugs patched this month, Microsoft assigned an exploitability rating to 32 of them. The exploitability rating is a score of how likely the company thinks reliable attack code will appear; 18 bugs were assigned a rating of 1 meaning Microsoft anticipates reliable attack code in the next 30 days. The number of 1 ratings this month also breaks the previous record from June 2010 of 17.

The Microsoft Security Response Center published a table that breaks down the risk of every updated bug in August as well as predict what will happen in the next 30 days.

Applying this month’s updates will prove to be critically important to avoid these attacks,

Security researchers yesterday essentially agreed with Microsoft that the month ahead could be rocky for users who are slow to apply patches. Most contacted by Computerworld believe exploits will quickly appear for several of the vulnerabilities patched Tuesday, including a pair of media-related bugs, several in Office 2007, six in Internet Explorer, and another pair in Silverlight, Microsoft’s answer to Adobe’s Flash.

However, things aren’t entirely dire; the upside is that most of these attacks will require user-interaction. The best thing to do is patch as soon as possible and make sure clients are patched as well.

In a few days expect your computer to spend a bit of time updating because Computer World reports that Patch Tuesday this month on August 10 will have a record 14 updates to patch 34 vulnerabilities in Windows, Internet Explorer, Office, and Silverlight. Eight of those updates are tagged as Critical, the highest threat ranking and the rest are Important, the second-highest ranking. The number of updates beats the old record by one.

The 14 updates — Microsoft dubs them “bulletins” — are a record, beating the count from both February 2010 and October 2009 by one. The 34 individual patches equals the single-month record, which was first set last October and repeated in June 2010. And the eight critical updates next week will also tie the record set in October 2009.

The size of Patch Tuesday alternates where even-numbered months get bigger updates and odd-numbered months get smaller updates. So while we had only a few updates in July, 4 bulletins, June boasted 10 bulletins. Internet Explorer also updates every other month and the last IE update was in June. There will be 10 updates for Windows, 2 for IE and Silverlight, and 2 for Office. The updates affect all current versions of Windows, this does not include XP SP2 since Microsoft recently dropped SP2 support. More info at the Microsoft bulletin.

Adobe announced today that they will issue an out-of-band patch around August 16 for a new vulnerability discovered in Reader and Acrobat, as reported by Computer World. The bug was disclosed at the Black Hat security conference last month by researcher Charlie Miller when he was demoing the open-source toolkit BitBlaze. The bug lies in the way Reader and Acrobat parse fonts. It can be exploited to corrupt memory with a crafted TrueType font and a successful attack can allow code execution.

Adobe also hinted that there are a few more fixes in this update, there will also be a regular quarterly update on October 12. This bug happens to have a similarity with the way jailbreaks for iPhones and iPods work – by manipulating font-parsing errors – however, the bugs in Reader and Apple mobile OS are not related.

This is one of several out-of-band updates released so far this year by Adobe, befitting Reader’s status as the software targeted most by malware. The upcoming Reader 10 is going to have a sandbox technology that would help protect against attacks like this one. This update is for Windows, Unix, and Mac; see more at the posted Adobe bulletin.

Computer World reports that yesterday Microsoft released an out of schedule patch, MS10-046, for the recent shortcut exploit issue. The past few weeks have seen increasing reports of attacks using the shortcut exploit, especially in the past few days. Microsoft felt the it was too serious of a problem to let it wait until the next scheduled patch Tuesday. The patch was released at 1 p.m. Eastern on Monday.

Recall the way the attack works,

two weeks ago, Microsoft confirmed a flaw in how Windows parses shortcut files, the small files displayed by icons on the desktop, on the toolbar and in the Start menu that launch applications and documents when clicked. By crafting malicious shortcuts, hackers could automatically execute malware whenever a user viewed the shortcut or the contents of a folder containing the malevolent shortcut.

The day after the flaw was announced by security blogger Brian Krebs on July 15, Microsoft admitted it was already being exploited with the “Stuxnet” worm which targets PCs that manage large-scale industrial control systems in manufacturing and utility companies. Code also became available online and Microsoft found several more attack campaigns using the vulnerability. One of those campaigns was a particularly nasty malware family called “Sality”, found by the team responsible for making signatures for Microsoft antivirus products including Security Essentials. The discovery of Sality using the exploit apparently was what spurred Microsoft to release an out-of-band update.

Holly Stewart of the Microsoft Malware Protection Center wrote on the team’s blog,

Sality is a highly virulent strain … known to infect other files, making full removal after infection challenging, copy itself to removable media, disable security, and then download other malware. It is also a very large family — one of the most prevalent families this year.

Sality seriously upped the number of PCs under attack, it quickly surpassed the numbers seen with Stuxnet. Microsoft also knew that soon other malware families would pick up the shortcut exploit. All versions of Windows including the preview of Windows 7 SP1 and older versions like 2000 have the vulnerability. Get patch MS10-046 with Automatic Update or visit the Microsoft bulletin for more info and download links.

All the common browsers are subject to exploits that use the auto-complete feature to force them to give up personal data, as presented at Black Hat security conference last week. Computer World reports that the presentation “Breaking browsers: Hacking Auto-Complete” is by Jeremiah Grossman, the CTO of WhiteHat Security. None of the techniques used were that difficult and the data that can be gathered from auto-complete includes names, addresses, e-mail addresses, and sometimes passwords, credit card numbers, and search entries.

That data can be used to break into bank or email accounts, or to set the victim up for more malware that can get more data out of them. The best way to avoid the attack is to turn auto-complete off.

Grossman was able to hack the auto-complete of different versions of Internet Explorer, Safari, Chrome and Firefox, including Internet Explorer 6 and 7 which sadly account for a third of all browsers in use. He had to come up with different ways to hack each browser and he thinks that the browsers can be patched, he contacted each browser company but they didn’t tell him definite plans for updates. The exemption is Apple which pushed out a quick update to Safari’s auto-complete problem the day before the presentation.