Last Updated: 2007-08-28 18:05:10 UTC
by Maarten Van Horenbeeck (Version: 1)
As of yesterday, August 27th, 2007, BIND 8 is End of Life. This means no further updates will be released for this version. While recent statistics are not available, there is plenty of chance several organizations are still running a BIND 8 version.
Should you be one of these, we strongly advise you to schedule in a controlled upgrade to version 9 as soon as possible. Migrating from one major version to the next, for any software, is something you do not wish to do in a hurry when a significant security vulnerability is found.
Last Updated: 2007-08-28 13:45:47 UTC
by Maarten Van Horenbeeck (Version: 1)
Secunia has reported an unfixed, unconfirmed remote code execution vulnerability in MSN Messenger’s Video Conversation functionality. An exploit appears to be available of which the description states it will cause a Denial-of-Service attack on MSN Messenger, and likely allows remote code execution on Win2k SP4 Chinese. If accurate, an offset change is likely all that is needed for this to work on other language releases.
According to the report, Windows Live Messenger 8.1 and higher are not affected. While Microsoft has not yet officially confirmed this vulnerability, we advise users not to accept untrusted video conversation sessions at this time.
We'll keep you updated on this issue. Thanks to Juha-Matti for bringing it to our attention.
Last Updated: 2007-08-28 12:55:22 UTC
by Maarten Van Horenbeeck (Version: 3)
Note: please tread carefully here. While we've obfuscated all malicious links, some of them are still live on the internet. Over the weekend we have been working with anti-virus vendors as well as the regional CERT team to have the issue resolved, but we haven't been quite as succesful as we've hoped. This attack doesn't merely apply to the site mentioned, but spreads out over hundreds of compromised sites - so you may feel like filtering the malicious URL mentioned.
At least if you believe everything your neighborhood webmaster tells you... Early last week, the forum of the website of Leuven, a major student town in Belgium, got compromised. National press reported the compromise occurred through so-called SQL infection (sic), after which links to a .cn web server were added. In an interview, an IT representative of the local government stated that the "hack was not malicious. No data on the website was removed, altered or stolen".
Naturally, we want to have a look at what this code does. It's easy to execute VBScripts on the desktop using the Windows Script Host, or WSH, and its tool wscript. The content can just be copied into a vbs file and executed. However, that's not what we want to do here, since the script says EXECUTE. Not a good idea.
So, let's change these commands around a bit. Wscript contains a function that allows you to echo content to the screen in a message box:
So this leaves me wondering why exactly this was a non-malicious compromise ?
UPDATE: By popular request, here is the current AV recognition according to Virustotal. At least one of the two droppers is detected by:
Webwasher-Gateway 6.0.1/20070828 found [VBScript.Vulnerable.gen!High (suspicious)]
Authentium 4.93.8/20070828 found [HTML/IFrame]
F-Prot 18.104.22.168/20070828 found [HTML/IFrame]
Norman 5.80.02/20070828 found [JS/OnlineGames.A]
The actual executable is identified as malicious by:
AntiVir 22.214.171.124/20070828 found [TR/Crypt.FKM.Gen]
Avast 4.7.1029.0/20070827 found [Win32:WOW-FD]
CAT-QuickHeal 9.00/20070825 found [(Suspicious) - DNAScan]
DrWeb 4.33/20070828 found [Trojan.PWS.Wow]
eSafe 126.96.36.199/20070826 found [Suspicious Trojan/Worm]
F-Secure 6.70.13030.0/20070828 found [Trojan-PSW.Win32.WOW.sp]
Fortinet 188.8.131.52/20070828 found [W32/WoW!tr.pws]
Ikarus T184.108.40.206/20070828 found [Trojan-PWS.Win32.WOW.pu]
Kaspersky 220.127.116.11/20070828 found [Trojan-PSW.Win32.WOW.sp]
NOD32v2 2488/20070828 found [Win32/PSW.WOW.SP]
Norman 5.80.02/20070828 found [W32/Wow.BJL]
Sunbelt 2.2.907.0/20070825 found [VIPRE.Suspicious]
Symantec 10/20070828 found [Infostealer.Wowcraft]
TheHacker 18.104.22.168/20070828 found [Trojan/PSW.WOW.sp]
VBA32 22.214.171.124/20070828 found [suspected of Trojan-PSW.Game.9 (paranoid heuristics)]
Webwasher-Gateway 6.0.1/20070828 found [Trojan.Crypt.FKM.Gen]
in order to prevent clients from being infected, you could consider blocking traffic to the xvgaoke.cn domain.
Maarten Van Horenbeeck