Do you like our spider?  Nature photography by Drake Environmental

Wednesday, July 23, 2014
  Our sponsors
  Top Forum Posts
Bogus Electronic Greeting Cards by DavidGray
What Is It? For almost a year, we ...
Router password vulnerability on most routers by LeeDrake
What it is Happy 2008!  And t...
Critical RealPlayer Update Available by DavidGray
What Is It? A remote code executio...
A Word of Caution About Social Networking Web Sites by DavidGray
What Is It? Social networking Web ...
Microsoft Releases Critical Updates for Office 2000 and Office 2004 for the Apple Macintosh by DavidGray
What Is It? Just as all the kids a...
Critical Vulnerabilities in Adobe (Macromedia ) Flash Player by DavidGray
What Is It? Adobe, which now owns ...
Trojan disguises itself as greeting card by LeeDrake
What it is You may have noticed gr...
Critical Updates for Apple Macintosh OS X by DavidGray
What Is It? Apple Computer, Inc.&n...
Critical Update for Animated Cursor Vulnerability in Microsoft Windows by DavidGray
What Is It? There is an unchecked...
DST Adjustments for All Windows Computers by DavidGray
DST Adjustments for All Windows Com...
Click here to visit OS-Cubed, Inc.
Viruswarn banner
  The new improved

Welcome to the new, improved  While we're just starting to get the site back up and running, we have some exciting new capabilities.  For the first time the forums for Viruswarn will be integrated directly into the website, rather than hosted at  You will be able to interact with the authors and participate in online discussions.

In addition, we plan to syndicate our blogs, and all our forum content so that you can easily reproduce it on your own site, or add it to your site's main web page.  This syndication capability will make us your source for virus and security warning info.

Once you've registered and logged in you'll have access to exclusive members-only content.

  Infected? Dance the tango!
Dance the Security Tango
  Register or Login

Forgot Password ?
  Recent Viruswarn posts
  Sign up for Viruswarning   

If you don't already receive the viruswarning emails you may login and register for the site and send us a request.  Once you login you'll see the request form here on the home page.  You must register for the site (which gives you full access to the forums) AND also register for the viruswarn mailing list.  If you sign up for the site without signing up for the mailing list - you will not receive the viruswarning notices in your email.

You may always unsubscribe, or change your email from this page as well.

  CERT Alerts
CERT technical alerts
TA14-150A: GameOver Zeus P2P Malware 06/02/2014
Original release date: June 02, 2014 | Last revised: June 06, 2014

Systems Affected

  • Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
  • Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012


GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware identified in September 2011, [1] uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this Technical Alert to provide further information about the GameOver Zeus botnet.


GOZ, which is often propagated through spam and phishing messages, is primarily used by cybercriminals to harvest banking information, such as login credentials, from a victim’s computer. [2] Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks. 

Prior variants of the Zeus malware utilized a centralized command and control (C2) botnet infrastructure to execute commands. Centralized C2 servers are routinely tracked and blocked by the security community. [1] GOZ, however, utilizes a P2P network of infected hosts to communicate and distribute data, and employs encryption to evade detection. These peers act as a massive proxy network that is used to propagate binary updates, distribute configuration files, and to send stolen data. [3] Without a single point of failure, the resiliency of GOZ’s P2P infrastructure makes takedown efforts more difficult. [1]


A system infected with GOZ may be employed to send spam, participate in DDoS attacks, and harvest users' credentials for online services, including banking services.


Users are recommended to take the following actions to remediate GOZ infections:

  • Use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).
  • Change your passwords - Your original passwords may have been compromised during the infection, so you should change them (see Choosing and Protecting Passwords for more information).
  • Keep your operating system and application software up-to-date - Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).
  • Use anti-malware tools - Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (examples below) that will help with the removal of GOZ from your system.

F-Secure (Windows Vista, 7 and 8) (Windows XP)

Heimdal (Microsoft Windows XP, Vista, 7, 8 and 8.1)   

McAfee (Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8)

Microsoft (Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP) 

Sophos (Windows XP (SP2) and above) 

Symantec (Windows XP, Windows Vista and Windows 7)

Trend Micro (Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2)

The above are examples only and do not constitute an exhaustive list. The U.S. Government does not endorse or support any particular product or vendor.



Revision History

  • Initial Publication - June 2, 2014
  • Added McAfee - June 6, 2014

This product is provided subject to this Notification and this Privacy & Use policy.

TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160) 04/08/2014
Original release date: April 08, 2014

Systems Affected

  • OpenSSL 1.0.1 through 1.0.1f
  • OpenSSL 1.0.2-beta


A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.


OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality. This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:

  • Primary key material (secret keys)
  • Secondary key material (user names and passwords used by vulnerable services)
  • Protected content (sensitive data used by vulnerable services)
  • Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

Exploit code is publicly available for this vulnerability.  Additional details may be found in CERT/CC Vulnerability Note VU#720951.


This flaw allows a remote attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time.


OpenSSL 1.0.1g has been released to address this vulnerability.  Any keys generated with a vulnerable version of OpenSSL should be considered compromised and regenerated and deployed after the patch has been applied.

US-CERT recommends system administrators consider implementing Perfect Forward Secrecy to mitigate the damage that may be caused by future private key disclosures.


Revision History

  • Initial Publication

This product is provided subject to this Notification and this Privacy & Use policy.

TA14-069A: Microsoft Ending Support for Windows XP and Office 2003 03/10/2014
Original release date: March 10, 2014 | Last revised: June 18, 2014

Systems Affected

  • Microsoft Windows XP with Service Pack 3 (SP3) Operating System
  • Microsoft Office 2003 Products


Microsoft is ending support for the Windows XP operating system and Office 2003 product line on April 8, 2014. [1] After this date, these products will no longer receive:

  • Security patches which help protect PCs from harmful viruses, spyware, and other malicious software
  • Assisted technical support from Microsoft
  • Software and content updates


All software products have a lifecycle. End of support refers to the date when Microsoft no longer provides automatic fixes, updates, or online technical assistance. [2] As of February 2014, nearly 30 percent of Internet-connected PCs still run Windows XP. [3]

Microsoft will send “End of Support” notifications to users of Windows XP who have elected to receive updates via Windows Update. Users in organizations using Windows Server Update Services (WSUS), System Center Configuration manager, or Windows Intune will not receive the notification. [4]


Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.

Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows XP or Office 2003.

Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements. [4]


Computers operating Windows XP with SP3 or running Office 2003 products will continue to work after support ends. However, using unsupported software may increase the risk of viruses and other security threats.

Users have the option to upgrade to a currently supported operating system or office productivity suite. The Microsoft “End of Support” pages for Windows XP and Office 2003 offer additional details.

There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows XP or Office 2003 to a currently supported operating system or office productivity suite. US-CERT does not endorse or support any particular product or vendor.

Users who choose to continue using Windows XP after the end of support may mitigate some risks by using a web browser other than Internet Explorer. The Windows XP versions of some alternative browsers will continue to receive support temporarily. Users should consult the support pages of their chosen alternative browser for more details.


Revision History

  • March 10, 2014 - Initial Release
  • June 18, 2014 - A spelling correction was made.

This product is provided subject to this Notification and this Privacy & Use policy.

TA14-017A: UDP-based Amplification Attacks 01/17/2014
Original release date: January 17, 2014 | Last revised: March 07, 2014

Systems Affected

Certain UDP protocols have been identified as potential attack vectors:

  • DNS
  • NTP
  • SNMPv2
  • NetBIOS
  • SSDP
  • CharGEN
  • QOTD
  • BitTorrent
  • Kad
  • Quake Network Protocol
  • Steam Protocol


A Distributed Reflective Denial of Service (DRDoS) attack is an emerging form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible UDP servers, as well as bandwidth amplification factors, to overwhelm a victim system with UDP traffic.


UDP, by design, is a connection-less protocol that does not validate source IP addresses.  Unless the application-layer protocol uses countermeasures such as session initiation, it is very easy to forge the IP packet datagram to include an arbitrary source IP address [7].  When many UDP packets have their source IP address forged to a single address, the server responds to that victim, creating a reflected Denial of Service (DoS) Attack.

Recently, certain UDP protocols have been found to have particular responses to certain commands that are much larger than the initial request.  Where before, attackers were limited linearly by the number of packets directly sent to the target to conduct a DoS attack, now a single packet can generate tens or hundreds of times the bandwidth in its response.  This is called an amplification attack, and when combined with a reflective DoS attack on a large scale it makes it relatively easy to conduct DDoS attacks.  

To measure the potential effect of an amplification attack, we use a metric called the bandwidth amplification factor (BAF).  BAF can be calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request [9] [10].

The list of known protocols, and their associated bandwidth amplification factors, is listed below.  US-CERT would like to offer thanks to Christian Rossow for providing this information to us.  For more information on bandwith amplificatication factors, please see Christian's blog and associated research paper.

ProtocolBandwidth Amplification FactorVulnerable Command
DNS28 to 54see: TA13-088A [1]
NTP556.9see: TA14-013A [2]
SNMPv26.3GetBulk request
NetBIOS3.8Name resolution
SSDP30.8SEARCH request
CharGEN358.8Character generation request
QOTD140.3Quote request
BitTorrent3.8File search
Kad16.3Peer list exchange
Quake Network Protocol63.9Server info exchange
Steam Protocol5.5Server info exchange



Attackers can utilize the bandwidth and relative trust of large servers that provide the above UDP protocols to flood victims with unwanted traffic, a DDoS attack.



Detection of DRDoS attacks is not easy, due to their use of large, trusted servers that provide UDP services.  As a victim, traditional DoS mitigation techniques may apply.

As a network operator of one of these exploitable services, look for abnormally large responses to a particular IP address.  This may indicate that an attacker is using your service to conduct a DRDoS attack.


Source IP Verification

Because the UDP requests being sent by the attacker-controlled clients must have a source IP address spoofed to appear as the victim’s IP, the first step to reducing the effectiveness of UDP amplification is for Internet Service Providers to reject any UDP traffic with spoofed addresses. The Network Working Group of the Internet Engineering Task Force (IETF) released Best Current Practice 38 document in May 2000 and Best Current Practice 84 in March 2004 that describes how an Internet Service Provider can filter network traffic on their network to reject packets with source addresses not reachable via the actual packet’s path [3][4].  The changes recommended in these documents would cause a routing device to evaluate whether it is possible to reach the source IP address of the packet via the interface that transmitted the packet. If it is not possible, then the packet most likely has a spoofed source IP address. This configuration change would substantially reduce the potential for most popular types of DDoS attacks. As such, we highly recommend to all network operators to perform network ingress filtering if possible.  Note that it will not explicitly protect a UDP service provider from being exploited in a DRDoS (all network providers must use ingress filtering in order to completely eliminate the threat).

To verify your network has implemented ingress filtering, download the open source tools from the Spoofer Project [5].

Traffic Shaping

Limiting responses to UDP requests is another potential mitigation to this issue.  This may require testing to discover the optimal limit that does not interfere with legitimate traffic.  The IETF released Request for Comment 2475 and Request for Comment 3260 that describes some methods to shape and control traffic [6] [8].  Most network devices today provide these functions in their software. 


Revision History

  • February 09, 2014 - Initial Release
  • March 07, 2014 - Updated page to include research links

This product is provided subject to this Notification and this Privacy & Use policy.

TA14-013A: NTP Amplification Attacks Using CVE-2013-5211 01/13/2014
Original release date: January 13, 2014 | Last revised: February 05, 2014

Systems Affected

NTP servers


A Network Time Protocol (NTP) Amplification attack is an emerging form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible NTP servers to overwhelm a victim system with UDP traffic.


The NTP service supports a monitoring service that allows administrators to query the server for traffic counts of connected clients. This information is provided via the “monlist” command. The basic attack technique consists of an attacker sending a "get monlist" request to a vulnerable NTP server, with the source address spoofed to be the victim’s address.


The attack relies on the exploitation of the 'monlist' feature of NTP, as described in CVE-2013-5211, which is enabled by default on older NTP-capable devices. This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim. Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks. The solution is to disable “monlist” within the NTP server or to upgrade to the latest version of NTP (4.2.7) which disables the “monlist” functionality.



On a UNIX-platform, the command “ntpdc” will query existing NTP servers for monitoring data. If the system is vulnerable to exploitation, it will respond to the “monlist” command in interactive mode. By default, most modern UNIX and Linux distributions allow this command to be used from localhost, but not from a remote host. To test for monlist support, execute the following command at the command line:



Additionally, the “ntp-monlist” script is available for NMap, which will automatically display the results of the monlist command. If the system does not support the monitor query, and is therefore not vulnerable to this attack type, NMap will return an error type 4 (No Data Available) or no reply at all.


Recommended Course of Action

As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to at least 4.2.7. However, in cases where it is not possible to upgrade the version of the service, it is possible to disable the monitor functionality in earlier versions of the software.

To disable “monlist” functionality on a public-facing NTP server that cannot be updated to 4.2.7, add the “noquery” directive to the “restrict default” line in the system’s ntp.conf, as shown below:

restrict default kod nomodify notrap nopeer noquery

restrict -6 default kod nomodify notrap nopeer noquery


Revision History

  • January 13, 2014 - Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

Provided by
  Most recent blog entries   
Buy our spider!
Lee's Blog By Lee Drake on 1/28/2007
Viruswarn has a cafepress store where you can buy logo t-shirts, hats, mousepads and other paraphenalia....
Comments (0) More...

Safe Handling of Email Messages
Wizard Wisdom By David Gray on 1/26/2007
Recent press coverage and personal correspondence suggest to me that the social engineering tactics being used by the bad guys is greatly improved, and now is a good time to share my method of filtering email messages with others.
Comments (0) More...

Hide Thy JavaScript
Wizard Wisdom By David Gray on 1/23/2007
This article describes a technique that I developed, which allows me to keep all the JavaScript code used by a page in "code behind" files similar to those employed by Visual Web Developer 2005 to separate the code from the presentation and data in ASP.NET applications.
Comments (0) More...

Vista information page on
Lee's Blog By Lee Drake on 12/26/2006
We've started a page on Windows Vista on's site...
Comments (0) More...

Help in the Struggle for Strong Passwords
Wizard Wisdom By David Gray on 12/19/2006
This article discusses two new tools that recently became available, to help you create really strong passwords.
Comments (0) More...

100,000,000 and counting
Lee's Blog By Lee Drake on 12/18/2006
So far, according to a recent NY Times story, over 100,000,000 records have been compromised in data theft cases....
Comments (1) More...

OS-Cubed sponsors GVCSHRM trip to China
Lee's Blog By Lee Drake on 12/8/2006
Fernan Cepero of the Genesee Valley Chapter of the Society for human Resource Management is going to China as a human resource ambassador - OS-Cubed is sponsoring his blog...
Comments (0) More...

600 spams over the weekend
Lee's Blog By Lee Drake on 11/20/2006
Over the weekend my various email accounts received over 650 spam messages. Of those only about 30 ended up in my inbox (approximately 4.6%). No good mail ended up being filtered. How did I achieve this, and why isn't everyone seeing these same results?
Comments (1) More...

Top 20 vulnerabilities updated
Lee's Blog By Lee Drake on 11/17/2006
SANS updated it's top 20 security vulnerabilities this month. There has been some changes since last year's update....
Comments (0) More...

Saving your bacon
Lee's Blog By Lee Drake on 10/27/2006
A good backup and UPS can improve your systems safety and reliability and save you thousands in lost time and productivity.
Comments (0) More...

Copyright 2006 by OS-Cubed, Inc.   Terms Of Use  Privacy Statement