Last Updated: 2007-12-03 01:36:14 UTC
by Maarten Van Horenbeeck (Version: 2)
Symantec is reporting an active exploit site for the QuickTime RTSP Response vulnerability described in CVE-2007-6166. Currently, the malicious stream is hosted at port 554 on the server 18.104.22.168. Upon exploitation, the following executables are downloaded:
hxxp:// 1800-search.com /000/loader.exe
hxxp:// 1800-search.com /000/dnslvc.exe
Both files are universally detected by anti virus, so this is a relatively badly executed attack. Since no vendor supplied patch is currently available, we still recommend following US-CERT's recommendations:
- Setting the kill bit for the following Quicktime CLSIDs for Internet Explorer:
- Disabling the QuickTime plug-in for Mozilla browsers;
- Disable QuickTime file associations;
- Filter traffic on the common RTSP ports (554/tcp and 6970-6999/udp). This provides only partial mitigation.
Each of these does make the use of valid Quicktime content next to impossible, so please be aware of the impact this may have on your organization.
This specific attack instance can be blocked by disallowing traffic to the following domains and IP addresses:
22.214.171.124 (a seeder URL to this exploit, also hosting other IE exploits)
Maarten Van Horenbeeck
Last Updated: 2007-12-02 10:04:17 UTC
by Maarten Van Horenbeeck (Version: 1)
Everyone deploys anti virus, and sometimes without spending sufficient thought as to how it should be intelligently deployed. In essence, anti virus products have very different features: some products are relatively more of a ‘blacklisting’ technology than others. It’s important for us to ensure AV only needs to work in those cases where we know it is most effective.
As a quick example, here is the Virustotal output for a recent malicious RAR file that was brought to my attention. RAR files are archives, similar to ZIP but with a higher compression grade:
AhnLab-V3 2007.11.24.0 2007.11.23 -
AntiVir 126.96.36.199 2007.11.25 -
Authentium 4.93.8 2007.11.24 -
Avast 4.7.1074.0 2007.11.25 -
AVG 188.8.131.523 2007.11.25 -
BitDefender 7.2 2007.11.25 -
CAT-QuickHeal 9.00 2007.11.24 -
ClamAV 0.91.2 2007.11.25 -
DrWeb 4.44.0.09170 2007.11.25 -
eSafe 184.108.40.206 2007.11.21 -
eTrust-Vet 31.3.5324 2007.11.24 -
Ewido 4.0 2007.11.25 -
FileAdvisor 1 2007.11.25 -
Fortinet 220.127.116.11 2007.11.25 -
F-Prot 18.104.22.168 2007.11.25 -
F-Secure 6.70.13030.0 2007.11.25 Exploit.Win32.WinRar.g
Ikarus T22.214.171.124 2007.11.25 Exploit.Win32.WinRar.g
Kaspersky 126.96.36.199 2007.11.25 Exploit.Win32.WinRar.g
McAfee 5170 2007.11.23 -
Microsoft 1.3007 2007.11.25 -
NOD32v2 2684 2007.11.25 -
Norman 5.80.02 2007.11.23 -
Panda 188.8.131.52 2007.11.25 -
Prevx1 V2 2007.11.25 -
Rising 20.19.61.00 2007.11.25 -
Sophos 4.23.0 2007.11.25 -
Sunbelt 2.2.907.0 2007.11.24 -
Symantec 10 2007.11.25 -
TheHacker 184.108.40.206 2007.11.24 -
VBA32 220.127.116.11 2007.11.23 -
VirusBuster 4.3.26:9 2007.11.25 -
Webwasher-Gateway 6.0.1 2007.11.25 –
The vulnerability being exploited dated from 2005, but it appears most solutions did not have effective detection for it. This makes sense: security bugs have been found in several hundreds, if not more applications, and it would be very difficult for AV vendors to build in effective file format parsers for each of the affected file formats.
There’s also a good reason for them not to write such parsers: when implementing them for sometimes not too well described file formats, it’s easy to make security bugs in your own parsing code. This has been illustrated by several researchers, such as Thierry Zoller and Sergio Alvarez of n.Runs. They found several bugs in the parsing code, often leading to remote code execution for an attacker. Depending on where you scan, this could be your mail gateway or desktop.
The point of this diary is to illustrate the basis of the deployment of any gateway anti virus control should be that you enforce which file types are passed along to the internal clients. Does your organization actually need .RAR files to function?
Building a list of what type of file types you want to support organizationally, understanding each of them poses additional risk, should be the beginning of any implementation. The anti virus should then be configured accordingly to just drop anything that does not match this policy statement.
Maarten Van Horenbeeck