Ah, scary things are afoot and go bump while you surf the web! Increasingly unfriendly critters are set to leave you the choice between "trick or trick" whenever you open the browser!  One bit that recently caught my eye again is the increasing effort made by Javascript exploit authors to disguise their crud. Take this one:



Now, anyone can tell from looking at this that whoever wrote this code is trying to hide something. Gone are the days when simple substitutions (like: encoded B is an A, encoded C is a B, etc) were used to hide the URLs where the next bit of nefarious code was pulled from. Over the last months, attackers have apparently evolved beyond first grade math, to highly complex :) concoctions involving binary "shift" and "bitwise and" operations. Wow!

Good thing is though, no matter how many turns and twists they take, decoding the mess is still pretty easy. Frequent readers of this diary will know that "amending" such Javascript blobs with a little additional Javascript, like a carefully placed or alert() statement, can make the decoded routine easily visible in the browser of your lab system. In this particular case, the part to aim for is the "eval" (underlined in red) - this is where the decoded string gets executed, and we'd prefer to intercept before this happens. Couple seconds later, we have the web server on the lab station hosting a copy of this file, with eval() replaced by alert().<br><br><img src="/diaryimages/images/813aa360d9fdf857c3408d6e46ddd8326565c88a.gif" alt=""><br><br>Hmm. Not yet. Yes, we do get the alert pop up, but it is still full of garbage. But wait, we've had this <a target="_self" href="http://isc.sans.org/diary.php?storyid=1519&rss">before</a> : arguments.callee.toString() returns the length of the currently executing Javascript function. So by adding one char (changing from eval to alert), the decoding function changes as well. Rather than to make use of the decoding technique listed in the earlier diary (manually add or subtract the number of chars as needed), we opted this time to keep the length of the code constant. This can be done by simply adding a new Javascript function aler(x) {alert(x)}; and then using "aler" instead of "alert" to replace "eval" in the obfuscated code. Same length.<br><br>The de-obfuscated URL goes to (dont click!!) js.pceb.cc, which resolves to 85.255.114.158, which is - surprise surprise - the address range of INHoster in Ukraine. Although we are wary of excessive block-lists, we have repeatedly recommended in the past that you block this range (http://isc.sans.org/diary.php?storyid=997):  85.255.112.0 - 85.255.127.0 . Do it now, and next time they dish up a new treat, it wont trick your users. <br><br>Happy Halloween!<br><br><font size="1">Caveat: Try and decode such critters only on a lab system. Careful malware analysts tend to reinstall their systems and change their jobs far less frequently than those who think they got it all down phat.</font>

• Maintaining security awareness for your installed application base is likely more important for the average SOHO/home user running Anti Virus and other security solutions that may not benefit from an enterprise configuration management team watching out for their interests 24x7.

• Visit all application vendor websites for your installed application base and subscribe to any available RSS feeds, or announcement mailing lists they may offer to licensed application holders. 
  
• Determine if your chosen product(s) have an embedded update notification mechanism and enable that feature for notification or auto-update as appropriate.

{00000514-0000-0010-8000-00AA006D2EA4} "

Secunia (http://secunia.com/advisories/22542/ is reporting a new Microsoft Internet Explorer (MSIE) 7.0 vulnerability. This vulnerability allows a malicious site to spoof the content of the address bar. Instead of the actual URL, the user will see a "fake" URL. We tested the vulnerability and found it to work quite well. As a quick workaround you may want to configure MSIE 7.0 to open new windows in a new tab. In order to do this, Tools -> Internet Options -> Tabs Settings -> When a pop-up is encountered: Always open pop-ups in a new tab.

(click image for full size)

The PoC exploit by Secunia is pushing the real URL off the screen to the left by adding multiple '%A0' characters between the real URL and the string 'www.microsoft.com'. It appears that the new window will only show right-most part of the URL. For tabs, the left most part is shown.

This vulnerability has a lot of potential for phishers or others that attempt to trick the user into trusting the popup window as they trust the site displayed in the main window.

Update:

Jeroen writes in to tell us:

"By default, Safari doesn't show the address bar in a popup ... so this trick will probably also work for Safari users since the popup window has the title 'Microsoft Corporation'. If you choose to display the address bar, it displays the correct URL (secunia).

Thanks Jeroen.

-Chris

UPDATE 2:

We received a lot of reports from our readers suggesting that Firefox and some other browsers are vulnerable to this exploit as well.

In case of this vulnerability, it is not easy to say if a browser is vulnerable or not ? we're not talking about exploiting a remote execution so it either works or it doesn't work. In this case, an attacker is actually trying to make the user believe that he's on a different site, and that can be, unfortunately, done using this vulnerability on almost all browsers.

If you try the test on Secunia's web page with other browsers, you will see different results, shown below.

Firefox (both 1.5.x and 2.0 versions) will open a new pop-up window completely without the address bar, so it's irrelevant what the JavaScript code attempts to do. The good thing about Firefox is that it will show the real site you connected to in the window title bar, as shown in the screen shot below. This is why the exploit does not work in Firefox as it should, but of course ? a user can still be fooled with this if they don't check the window title bar:



Opera is also not vulnerable to this exploit, but the pop-up window looks a bit different. You can see that it prints the real site name below the window title, but again, a user might miss this:



--
Bojan Zdrnja

Thank you for ordering from our internet shop. If you paid with a 
credit card, the charge on your statement will be from name of our shop.

This email is to confirm the receipt of your order. Please do not reply 
as this email was sent from our automated confirmation system.

Date : 08 Oct 2006 - 12:40
Order ID : 37679041

Payment by Credit card

Product : Quantity : Price
WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99

Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87

Your Order Summary located in the attachment file ( self-extracting 
archive with "37679041.pdf" file ).

PDF (Portable Document Format) files are created by Adobe Acrobat 
software and can be viewed with Adobe Acrobat Reader. If you do not 
already have this viewer configured on a local drive, you may download 
it for free from Adobe's Web site.

We will ship your order from the warehouse nearest to you that has your 
items in stock (NY, TN, UT & CA). We strive to ship all orders the same 
day, but please allow 24hrs for processing.

You will receive another email with tracking information soon.

We hope you enjoy your order!  Thank you for shopping with us!

Update:
One of our reader (Matthew) has notified us that McAfee is able to identify this new 
trojan and had already provided "extra.dat" support to allow customers to update 
their definitions (all platforms).

Running through VirusTotal again, other anti-virus scanners are starting to detect 
this malware. Below are those with positive results:
Authentium	4.93.8		10.13.2006	W32/Goldun.NK
AVG		386		10.13.2006	Downloader.Generic2.TFP
BitDefender	7.2		10.14.2006	Trojan.Downloader.Agent.APP
ClamAV		devel-20060426	10.13.2006	Trojan.Downloader.Small-2854
eTrust-InoculateIT  23.73.22	10.13.2006	Win32/Ursnif.MJI!Trojan
eTrust-Vet	30.3.3131	10.13.2006	Win32/Ursnif!downloader
DrWeb		4.33		10.14.2006	Trojan.DownLoader.14120
Fortinet	2.82.0.0	10.13.2006	W32/Dloader.AYT!tr.dldr
F-Prot		3.16f		10.13.2006	security risk named W32/Goldun.NK
F-Prot4		4.2.1.29	10.13.2006	W32/Goldun.NK
Ikarus		0.2.65.0	10.13.2006	Win32.Outbreak
Kaspersky	4.0.2.24	10.14.2006	Trojan.Win32.Small.kn
McAfee		4873		10.13.2006	Downloader-AXM
Microsoft	1.1603		10.14.2006	TrojanDownloader:Win32/Agent.EP
NOD32v2		1.1803		10.13.2006	Win32/TrojanDownloader.Small.NPO
Norman		5.80.02		10.13.2006	W32/DLoader.BAOZ
Panda		9.0.0.4		10.14.2006	Trj/SpyForms.J

Why do you have "Mitigated" in Yellow up above?

By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

To set the kill bits for CLSIDs with values of {e5df9d10-3b52-11d1-83e8-00a0c90dc849} and {844F4806-E8A8-11d2-9652-00C04FC30871}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{e5df9d10-3b52-11d1-83e8-00a0c90dc849}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}]
"Compatibility Flags"=dword:00000400

Overview of the October 2006 Microsoft patches and their status.

--
XXX

Over the weekend I dealt with a (rather massive) spam campaign side effects.

In a few minutes about 10,000 messages arrived on a "catch-all" email address. Those messages consisted of:

• Non-Delivery Reports (NDR)
• Delivery Status Notifications (DSN)
• Out of Office messages
• Automated responses indicating the target does not work anymore where he was working
• Questions to confirm the message is genuine
• Automated reports informing it was considered spam
• Automated reports informing it contained a virus
• Automated reports informing it contianed bad links
  
• ...

These messages come in at an incredible rate where they contain the original headers you can see they are spammed from all over the address space (so it's likely to be a botnet sending it out). The error messages are in at least half a dozen languages.

The spams were spoofed to come from random names at a domain and all those responses from the victims only create more victims.

So in order to keep the Internet a place where we all can survive it is critical:

• Your email servers know which messages can be accepted or not and refuse the message if it needs to bounce before letting the sender move on and need a NDR or DSN to be sent to another victim.
• You do this by NOT having fallback MX records where these messages are dumped and then generate all the bounces. The fallback MX mechanism is only useful if you have a very unreliable link and actually use something like ETRN to fetch your email. But if you can surf the Internet reliably, the MTAs will work perfectly without a fallback MX.And should your sefver be down: the orginating MTA will store it till the next queue run.
  
• You do this by scanning for active mailboxes before accepting the email.
• You do this by scanning for unwanted content before accepting the email.
• Kill all vacation, out of office messages, does nto work here anymore, .... automated replies: it's a risk. And if you get a few thousand of them while you didn't send those people anything it's a real pain.
• Stop grey-listing: this is really the cheap solution and it is protecting yourself and putting the burden on the rest of us who don't even want to have anything to do with you in the first place.
• Automated scanning; if you do need to send somebody somethign that a unwanted message got filtered: send it to the recipient. If (s)he wanted the message, it can be gotten out of quarantine, but don't bother others with it, you're sending it toward the wrong people. And those that did send it to you: they know.

How do you survive this onslaught? You stop accepting the catch-all email and refuse all those incoming messages and/or -for those addresses you need to accept email- you start to drop all of those unwanted messages in a filter. Dropping MX records only works if you have no A record, but it might be an option. And no: you don't reply to any of them, there have been enough victims.

Personally I feel it's long overdue to really start implementing a usable alternative to the current email system. One of the requirements would be sender authentication and inability to create just a new identity after you got blocklisted.

Next comes that you might not be able to send much email anymore as there will be enough people who are misguided in assuming you or your domain in fact did send that message (the header forgery was not that bad, so some might even believe you relayed the messages).

If you do think you absolutely need fallback MX records, need DSN, ... well I'm sure you might sing a slightly different tune when are the victim of 10K messages in the first few minutes, and still going strong after many hours.

While weekends in general are kinda slow in security news, there seems to be somewhat of an opposite trend on the side of those who attack us.

• Email spammers seen to be more active during weekend
• Forum/feedback spammers seem to be on the same page
  
• The iframe gang seems to start their campaigns on Fridays
• New exploits typically are usedin the wild on Friday afternoon/nights

Why the bad guys do this is easy: it slows us defenders down to have to take countermeasures during the weekend.

So if there is a lesson to learn, it's to make sure our defences during the weekend are up to speed. Yet even if we do have experienced staff in place, those laptops e.g. are still outside of their protective perimeter, possible even used for (mostly?) non-professional activity.

Keeping our defenses up to speed means also even for small companies to be reachable towards our ISP, and the world at large if you have anything that's connected to the Internet: if one of our servers gets abused and is used to attack otheers we need to be able to take action on the problem we're causing.

--
Swa Frantzen -- Section 66

Back to the start

Now what does that encoding look like?

MSIE

Conclusion

• Well we could put on the recorded message of not using MSIE. It does sound broken, doesn't it? But those that would listen will have done so already by now.
• We could urge people to change the settings of MSIE:
1. Launch Internet Explorer
2. Click on View;
3. Click on Encoding;
4. Deselect Auto-select if it is selected.
but how to do that on a global scale and make it permanent is unclear at this point.
• We can ask people to take care of their visitors and make the applications stronger in authenticating users before taking actions and in not storing authentication, sensitive information etc. in cookies and the like.
• If you develop web applications, make sure you always set the encoding, don't ever let MSIE guess as perfectly innocent looking strings might cause XSS problems.
  
• We could urge people to look at their errorlog and find 404 results and see if there was recon on using UTF-7 in it, but the recon can be very subtle. So at least check if your custom 404 web pages return the requested URL and stop doing that.

We saw them before, scum trying to make money off of disasters in other people's lives. And an aircraft crash in Brazil is not different. Start with a spammed campaign promoting a website, the website promoting clicking on tiny thumbnail images that lead to malware. Not cool.

Find courtesy of Websense, who has an article about it.

Here is what the antivirus vendors think of the malware (virustotal):

IOW: a bank aware keylogging piece of malware that's not detected by some of the big name vendors.

The important lesson to learn is not to click on links in email or IM, or any other way you could be social engineered into doing things you don't want to do.  That however needs to be translated not just on the receiving end into not following links we're given, but also on the sending end by not offering friendly links to our friends.

e.g.:

• NOT: pointing to  http://news.bbc.co.uk/1/hi/world/americas/5401846.stm
• BUT instead tell them go to the bbc and search for 'brazil aircrash' instead.

Firefox seems to have its share of followers, just like the Mac community. I'm actually using both typing this so don't get on my case too much. Their supporters seem to react a lot when it comes to vulnerabilities being exposed at hacker venues. While fascinating from a social perspective, let's look at what we do know:

Over the weekend a conference called ToorCon was held in San Diego and one of the presentations by Mischa Spiegelmock and Andrew Wbeelsoi was (among other things?) about Firefox security.

None of us handlers at that point had seen the presentation(*) itself and the interaction with a Mozilla staffer, but we did see the Mozilla developers react to it like it was real (as they should) and we reported briefly about it ourselves. So there was something but none of us knew exactly what or how it was and the threat of having more exploits up their sleeve wasn't going to give a comfortable feeling any time soon.

Today we were pointed by numerous readers towards more news by Mozilla. While it seems to debunk the whole situation somewhat, do reread this one before calling it a hoax. There is a DoS in there and those have shown in the past this nasty habit of sometimes turning around and biting you with code execution (like the setslice thing did for MSIE).

All in all the whole thing obviously was hilarious to present and attend (see the video above), but it still leaves the rest of us with a foul taste.

(*): In a twisted way, you need javascript enabled and sit through the commercial before you can see it.

--
Swa Frantzen -- Section 66

History

Reason for Yellow

Actions

• Update your antivirus software, make sure your vendor has protection for it (*).
• Install following killbits (**):

• Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.

References

• CVE-2006-3730
• USCERT note 753044
• Microsoft security advisory 926043

• Jesper's blog about setting killbit using group policy (GPO)
• Exploit prevention labs blog entry - iframe
  
• Exploit Prevention labs blog entry - CWS
• SunbeltBlog
• F-Secure blog

• Malicious ActiveX Controls (Oreilly)
• Setting killbits (Microsoft - KB240797)
  

• Snort VRT sigs: SID 7985 and SID 7986, available since September 1st.

• JS/Exploit-BO.gen - McAfee
• JS_PLOIT.BC - TrendMicro
• Bloodhound.Exploit.83 - Symantec

• Sept. 30th diary
• Sept. 29th diary with tool to set the killbits
• Sept. 28th diary

One of reader shared with us that SunJava 1.5.0_09 has been released. You can get it from:

Java Runtime Environment (JRE) 5.0 Update 9
Release Notes
Test your installation

Update: As of Sun Oct 1 09:00:00 EDT 2006, neither the locally-installed, nor the on-line Java version tester seems to be aware of the 1.5.0_09 update. In one test, the on-line updated reported that 1.5_0_06 is the latest version. Also, Jim Manico reported that in his test, version 1.5_0_08 was reported as being up-to-date as well.

Perhaps the updater only detects major version changes? In this case, we saw no important security reason to rush with the 1.5_0_09 update. However, we hope that the update mechanism will work as advertised when an important security vulnerability needs to be patched.