Chris Mosby at myITforum.com

The Google blacklist

Thursday January 25, 2007 at 11:53 am CST
Posted by Francois Paget

Used by anti-phishing technology, a list of suspicious URLs is maintained by Google and publicly available on the Internet. It is the Google blacklist: http://sb.google.com/safebrowsing/update?version=goog-black-url:1:-1

On his blog, Michael Sutton who analyzed this link, explains it is used by the Google Safe Browsing for Firefox extension which is now part of the Google Toolbar for Firefox.

On January 5th, the Register announced that this public list contained confidential information like peoples’ usernames, passwords or session tokens. They wrote the problem had been corrected. Last Monday an Internet security firm reconfirmed the problem they first discovered on the 3rd of January.

As I am interested in identity theft risks, I played with my favorite Internet search engine. Unfortunately it was not difficult to find copies of some lists that were spread before Google removed the offending data.

Online we are more and more requested to enter our personal data. One day we make an error and inadvertently some of our sensitive information can be stored or even sent to a hacker and perhaps used by him. This post demonstrates that this data can easily become publicly available on the Internet. All the more reason to be vigilant.

New Microsoft Word 2000 Vulnerability

We’ve seen many threats using vulnerabilities based on Microsoft Office documents over the last year, so it’s no surprise that we have recently observed new samples of a threat that follows the same theme. This threat named Trojan.Mdropper.W is using the new Microsoft Word 2000 Unspecified Code Execution Vulnerability (BID22225) to drop threats onto a compromised computer. When the infected Word document is opened, it uses an exploit to drop some files onto the computer. These files are back door Trojans that enable an attacker to gain remote access to your computer.

This vulnerability comes on the back of three other recent and unpatched Microsoft Word vulnerabilities, which are:

BID21518 (CVE-2006-6456)
BID21451 (CVE-2006-5994)
BID21589 (CVE-2006-6561)

To protect yourself against these threats, do not trust unsolicited files or documents about “interesting” topics. Do not open attachments unless they are expected and come from a known and trusted source.

Posted by Hon Lau on January 25, 2007 10:00 AM

Symantec Security Response Weblog: New Microsoft Word 2000 Vulnerability.

http://www.symantec.com/avcenter/security/Content/2007.01.24c.html

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007012409202248

Attacks on Virtual Machines

At AVAR 2006, I presented a paper which discussed ways in which virtual machines are vulnerable to detection and, in some cases, forced hangs or crashes.

The paper briefly discusses the two major types of virtual machines ("hardware-bound" and "pure software") and the two hardware-bound subtypes ("hardware-assisted" and "reduced-privilege guest"). The focus of the paper is the different ways in which various virtual machines can be detected. There are detections for VMware, VirtualPC, Parallels, Bochs, Hydra (though the published methods have since been fixed), QEMU, Atlantis and Sandbox, along with lots of source code.

The slides from the talk are also available, but without the commentary, they're not quite as interesting. The paper and slides are available from here.

Symantec Security Response Weblog: Attacks on Virtual Machines.

Of Love and Bills	Posted by Kimmo @ 07:01 GMT

A new round of malicious billing spam e-mails were received yesterday. All attachments have the filename of Rechnung.pdf.exe. Two variants emerged from these spams: W32/Nurech.X and W32/Nurech.Y.

Later in the day, the phrase "Love is all Around" was given a new meaning when another batch of Stormy was received. This new Stormy is still adhered to the theme of Love. Filenames of this new variant could be any of the following:

   Flash Postcard.exe
   Greeting Postcard.exe
   Greeting Card.exe
   Postcard.exe
   flash postcard.exe
   greeting card.exe
   greeting postcard.exe
   postcard.exe

Attachments are now detected as Trojan-Downloader.Win32.Small.ciw.

As seen from the newest samples, social engineering techniques are still employed to entice a portion of the recipients to execute the malicious attachments.

Vigilance and caution are always advised.

F-Secure : News from the Lab - January of 2007.

Cisco vulnerabilities

Published: 2007-01-24,
Last Updated: 2007-01-24 22:23:04 UTC
by Maarten Van Horenbeeck (Version: 2)

Several readers have written in that Cisco just released three security bulletins regarding issues in the Cisco IOS software:

Crafted TCP Packet can cause denial of service (cisco-sa-20070124-crafted-tcp)
A remotely-exploitable memory leak in the Cisco IOS software could lead to a denial of service condition. This vulnerability applies to much of the IOS 12.0, 12.1 and 12.2 code base.

Crafted IP Option vulnerability (cisco-sa-20070124-crafted-ip-option)
By sending certain ICMP, PIMv2, PGM or URD packets with a specific IP option set to a Cisco IOS or IOS XR device, an attacker could cause the device to reload or even execute arbitrary code. This applies to a wide variety of releases.

IPv6 Routing Header vulnerability (cisco-sa-20070124-IOS-IPv6)
Certain crafted IPv6 Type 0 routing headers could crash a device running IOS.

If you run Cisco switches or routers in your network, we advise you to review these bulletins in detail and take mitigative action where required. As a form of triage we believe organizations are most likely to be affected by the 'Crafted IP Option vulnerability', which also has the highest potential impact.

UPDATE:
Cisco has also released separate "Applied Intelligence Response" bulletins. These contain high quality information on how to detect exploitation of these vulnerabilities, and how they can be mitigated. Most organizations will need to perform a code upgrade for at least some of these vulnerabilities - while testing the new releases, these documents may prove useful.

Detecting and mitigating cisco-sa-20070124-crafted-tcp
Detecting and mitigating cisco-sa-20070124-crafted-ip-option
Detecting and mitigating cisco-sa-20070124-IOS-IPv6 

SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc.

- http://www.microsoft.com/technet/security/bulletin/ms07-003.mspx

Fix for quicktime arbitrary code execution

Published: 2007-01-23,
Last Updated: 2007-01-24 15:24:12 UTC
by William Stearns (Version: 3)

     Apple has provided a fix for an buffer overflow vulnerability in RTSP urls.  The fix is available for: "QuickTime 7.1.3 on Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8, Windows XP/2000".

For Windows users: The patch is only provided for OS X. As a Windows user, your best bet is to uninstall Quicktime and if you still need it download the newest version from Apple later. You can find it by clicking the "Quicktime" tab on Apple's home page (www.apple.com) and follow the download links. Its not clear if the version that is available right now is vulnerable or not. But it does not appear to have been updated recently.

     Many thanks to Juha-Matti for bringing this up.
    
Reader Chris writes in to give us these steps:
- Install Apple Software Update from the QuickTime package if you haven't already
- Start Apple Software Update - Update to ASU 1.0.2
- Check or uncheck the updates you want
- Select "Download Only" from the Tools menu
- Select "Open Downloaded Updates Folder" from the Tools menu
I haven't tested this, *Because I have no Windows Machines*, so we would appreciate some feedback!!

SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc.

New Comic Weblog Updates Page

Posted by Chris Mosby on January 23rd, 2007

In an effort to fill the void that was left when the Comic Weblog Updates page stopped working I made something similar here. This page doesn’t go as far back as the other page did, but it will update properly.

The difference with my new page is that you don’t have to sign up with Blo.gs, or anything like that.

People that want to have their blog added to the list can e-mail weblogs@talesfromthelongbox.com with the subject of “Please add my Blog to
the Comic Weblog Page”, and send me their info. I will take care of the rest. In the meantime I will try to add popular blogs on my own.

I hope everyone finds this useful.  Thanks for coming by!

Update: Since the feed script will show multiple post for a blog, I went and added code to show the the title of the post that was updated.  This should cut down on any confusion, and that way you can pick which post to read.

Technorati Tags: comic books, Comic Weblog Updates, blogging

Tales from the Longbox » Blog Archive » New Comic Weblog Updates Page.

“Storm Trojan” Outbreak – A Spam-centric View

While we often report on the number of infections we’re seeing for a threat and what our honeynets are catching, we haven’t often shared the numbers on the amount of malicious code we’re seeing via Symantec’s antispam solutions. With Trojan.Peacomm still very much on the prowl and repeatedly blasting spam in short bursts of five to ten minutes, we thought we’d share some of our statistics on the malware we see being spammed around the globe. All of the numbers below are from December 22, 2006 to January 22, 2007.

Figure 1. Top 10 malware caught by Symantec Brightmail AntiSpam

One of the things that leaps out from this pie chart is that Peacomm has already ran past the mass-mailing “happy new year” worm (W32.Mixor.Q@mm) despite getting a much later start in the period. The actual number of Peacomm spam is even higher because the majority of messages detected as Trojan.Packed.8 are a result of Peacomm spam as well. Trojan.Packed.8 was a heuristic detection that initially triggered on Peacomm when it was released, but due to the increase in Peacomm activity it was split out into its own detection to allow it to be tracked more easily.

In the above graph (Fig. 1), W32.Mixor.Q@mm comes second after Peacomm in the amount of email detected. Because it is a mass-mailer, Mixor.Q is generating this email directly, unlike Peacomm which is being spammed out. However, there is a link between the two malware. While the first sample of Mixor.Q did not contain Peacomm, it did contain a simple downloader executable. Later samples of Mixor.Q were slightly modified to embed Peacomm, with Mixor simply dropping the executable and running it. It is highly likely that there is a direct correlation between the number of Mixor infections and the later rise of Peacomm, considering that Mixor dropped Peacomm as a payload.

A logical assumption would be that Mixor sent out Peacomm itself, but upon close analysis of a number of Mixor samples, this is not the case. Mixor merely drops Peacomm; so, we believe Peacomm was manually spammed out and the likely chain of events is as follows:

1. Mixor is embedded with Peacomm
2. Mixor self-replicates and infects a large number of hosts
3. Mixor drops Peacomm onto the infected system
4. Peacomm downloads other .exe files including spam proxies, mail harvesters, and self-updaters
5. The spam proxies are used to send spam: “game1.exe” spams out text stocks, and “game0.exe” (copied as taskdir.exe) spams out image-based stocks

One thing to note is that to date we have not seen any Peacomm-infected hosts instructed to send out emails with Peacomm attached in order to propagate Peacomm; these infected hosts are only sending out spam.

Figure 2. Malware per day as caught by Symantec Brightmail AntiSpam

This chart displays the amount of malware caught by our antispam solutions on a daily basis. The first bump is again due to Mixor.Q, which used social-engineering to persuade victims to open up a nasty New Year’s e-greeting card, while the second and more pronounced spike is due to Peacomm hitting the scene. If you have a hard time reading the numbers (they may be a little small), the spike on 2007-1-19 for Peacomm nearly struck the 13 million spam messages mark!

The Peacomm spam is changing form and is now sending out image-based spam that continues to advertise penny stocks. (Fig. 3) The image spam is being sent out at a slightly slower rate, but is still continuous. There are also new spam samples with “romantic” subjects, but these are being easily caught by Symantec Brightmail AntiSpam traps.

Figure 3. Peacomm image-based spam

As for the malware samples, there continues to be new executables downloaded and run to send new image-based spam. New malware variants are still being detected; however, the rootkit in the latest samples is the same used in the previous version.

In regard to operating systems affected, both the non-rootkit sample and the rootkit sample fail to install on Vista with UAC turned on. If a user explicitly right-clicks on the malicious file and clicks "Run as Administrator", then the threat will install the wincom32 driver file and registry entries, but the threat will fail to actually run. However, the restriction in the code that prevented it from executing on Windows 2003 has now been removed.

Symantec Security Response will continue to monitor this threat closely and release any new information or protection updates as new findings come to light.

Posted by Security Response Alert on January 23, 2007 01:30 PM

Symantec Security Response Weblog: "Storm Trojan" Outbreak - A Spam-centric View

Strat Strikes Again!!!

January 23rd, 2007 by Trend Micro

As of this writing we are currently receiving samples that indicates another Stration hit. The samples have already been submitted for the creation of an appropriate Trend solution. We will update you on the detection name and pattern release as soon as possible. So far we have received files with the following MD5 hashes:

• a5e2e7d1583027c9fdd78cc66659dbec
  
• eccb8d8172b0ac71b9b8c2b3900b3777
  
• 6547253301da861b54a8fbcafd311ab1
  
• 9e6efc163477f8346224b165ff01556b

More details to follow. We’ll keep you posted once a solution has been sent out.

Update (Jasper Pimentel, Tue, 23 Jan 2007 01:54:17 PM)

This malware (which Trend detects as TROJ_STRAT.CJ) arrives as an attachment in an email message that announces to the user that (s)he has received a postcard. The email details are as follows.

The detection pattern for TROJ_STRAT.CJ will be available in OPR 4.209.00.

Strat Strikes Again!!! -  TrendLabs | Anti-Malware Blog - by Trend Micro.

“Storm” trojan, an evolution in progress

Monday January 22, 2007 at 5:22 pm CST
Posted by Allysa Myers

It’s been a few days since our last post on the subject of Downloader-BAI, and the massive seeding is still continuing with dozens of new variants each day.

The first interesting bit in this event is watching the authors of this malware cobbling separate pieces together. Some time this weekend, this Downloader trojan was being found in the droppings of a mass mailer, W32/Nuwar@MM which had previously been tied to a couple of other Downloader trojan familes. So now, being tied with a mass-mailer as well as a mass seeding, this trojan has become more self-sustaining in its distribution. It’s unlikely, at this point, that this will be dying down completely any time soon.

Another thing that’s particularly notable, from a technical perspective, is that this collection of trojans is coordinating itself by way of a peer to peer network. This is something we’ve been seeing malware authors playing with more and more lately, with this one arguably being the most successful. W32/Nugache and the “Phatbot” variant of W32/Gaobot both attempted coordinating by P2P through Gnutella cache servers, but they were very limited in the number of bots that could be in a given botnet. Malware authors seem to understand that having any single point of failure means that at some point, they will in fact fail and have to rebuild their botnet. By having a “headless” botnet, they can self-heal more effectively.

Most notable of all with this event, with Downloader-BAI and Nuwar, is the social engineering tactics being used in this seeding. W32/Nuwar gained quite a bit of notoriety during the holidays, for its variety of holiday-specific subject lines. Now Downloader-BAI is being seeded with a list of subject lines, the majority of which are intended to ruffle feathers or cause concern in certain specific countries, for example:

• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
• British Muslims Genocide
• 230 dead as storm batters Europe.
• Radical Muslim drinking enemies’ blood.
• Sadam Hussein alive!
• Russian missle shot down USA satellite
• Russian missle shot down Chinese aircraft
• Sadam Hussein safe and sound!
• The commander of a U.S. nuclear submarine lunch the rocket by mistake.
• Hugo Chavez dead.
• Fidel Castro dead.
• The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
• U.S. Southwest braces for another winter blast. More then 1000 people are dead.
• Venezuelan leader: “Let’s the War Begin”.

Personally, I find messages making outlandish claims something to be deleted without further ado. (Especially those messages that have file-attachments, and whose spelling is rather suspect) But for some reason this tactic is still proving successful. None of these techniques are particularly new or innovative, and if one were employing basic security measures this could be avoided. But due to the combination of huge numbers of new variants and social engineering tactics, it’s working for these miscreants.

Computer Security Research - McAfee Avert Labs Blog.

Trojan.Peacomm Part 2 – The Botnet Evolves

Since I posted my blog last Friday, the Trojan.Peacomm threat has (not surprisingly) evolved. The attachments have new filenames, some dropped files have changed, and the subject lines of the spam email are also changing. Please have a look at the full details in our updated write-up here.

The bot machines are now communicating over UDP port 7871, instead of port 4000. Symantec’s Threat Management System confirms this change:

Figure 1. IPs originating activity - UDP port 7871

More interestingly, the new version of the threat has fully fledged rootkit capabilities, albeit not very sophisticated. It would appear that the malware writers were in a rush to get the new version out as quickly as possible and some functionality of the rootkit has not been implemented correctly.

It is now capable of hiding several files and registry keys by hooking several kernel functions and patching the tcpip.sys system driver to hide its ports from commands, such as netstat -o or netstat -b. However, due to some mistakes in the rootkit code, running netstat -an lets you see ports 7871 or 4000 open and waiting for connections. It is also important to note that a personal firewall will also notify you of the process services.exe trying to make connections on these ports. Furthermore, the rootkit service can be stopped by running a simple command: net stop wincom32. All files, registry keys, and ports will appear again.

There is also code in the threat that will prevent it from executing if it detects the machine is running Windows 2003. We presume the malware writers didn’t have time to test it on this operating system. The rootkit driver is not free of bugs either, and in some cases it causes the system to crash and reboot.

So, what is the purpose of all this renewed activity, you ask? The primary goal is to create a botnet that sends tons and tons of penny stock spam (but because the botnet can be controlled by its owners, we may see changes in functionality). During our tests we saw an infected machine sending a burst of almost 1,800 emails in a five-minute period and then it just stopped. We are speculating that the task of sending the junk email is then passed on to another member of the botnet. My colleagues in the antispam team are seeing greater activity, too. Of course, users of Symantec’s Brightmail are also protected from this latest spam run.

Figure 2. Sample of Peacomm spam email

The good news is that, just the same as yesterday, Symantec customers remain protected by our detection and remediation technology present in the latest, up-to-date versions of our products.

Symantec Security Response Weblog: Trojan.Peacomm Part 2 - The Botnet Evolves.

Stormy Love	Posted by Patrik @ 20:00 GMT

This evening a new wave of the Stormy worm has been widely spammed. The subjects used in the e-mails have now changed from news-related events to love-related topics as you can see from the screenshot and the list of subjects below.

A list of subjects we've seen so far include:

A Bouguet of Love A Day in Bed Coupon A Monkey Rose for You A Red Hot Kiss Against All Odds All That Matters Baby, I'll Be There Back Together Breakfast in Bed Coupon Can't Wait to See You! Cyber Love Dinner Coupon Dream Date Coupon Emptiness Inside Me Fields Of Love For You Full Heart I Believe I Can't Function I Dream of You I Think of You Internet Love It's Your Move

Kiss Coupon Love Birds Love You Deeply Made for Each Other Miracle of Love Moonlit Waterfall My Invitation Our Love Our Love is Free Our Two Hearts Passionate Kiss Pockets of Love Puppy Love Red Rose Sending You My Love Showers of Love Someone at Last Soul Partners Summer Love Take My Hand That Special Love The Dance of Love The Long Haul

The Love Bugs This Day Forward This Feeling Till Morning's Light Till Morninig's Light The Mood for Love To New Spouse Together Again Together You and I Touched by Love Twice Blest Until the Day We're a Perfect Fit Wild Nights Will you? When I'm With You Worthy of You Wrapped Up Wrapped in Your Arms You are our of this world You Lucky Duck! You Rock Me! You Were Worth the Wait

Thanks to Diego who notified us and told us that this list looks very similar to the list of Romantic Cards over at 2000greetings.com and indeed it does.

The list of files is much shorter:

Greeting Postcard.exe
postcard.exe
greeting card.exe
Flash Postcard.exe
flash postcard.exe

We now detect this as Email-Worm.Win32.Zhelatin.a.

Note: For those of you who aren't already filtering EXE's in the e-mail gateway – do it now!

F-Secure : News from the Lab - January of 2007.