Chris Mosby at myITforum.com

Buffer Overflows In Adobe Products

Published: 2007-04-30,
Last Updated: 2007-04-30 20:39:18 UTC
by Joel Esler (Version: 1)

Seems as if there is a Buffer Overflow in multiple Adobe products.  According to the exploit the following products are affected:
The PNG exploit affects:

 -Photoshop CS2                                                         
 -Photoshop CS3                                                         
 -Photoshop Elements 5.0                                                
 -Corel Paint Shop Pro 11.20

And the Bitmap exploit affects:

 -Photoshop CS2                                                         
 -Photoshop CS3  

The solutions for these exploits, basically, is not to open untrusted .png, .bmp, .dib, or .rle files.   The possibility for remote shells and command execution do exist.   So be cautious.  I am sure there will be more to come.
Joel Esler
http://handlers.sans.org/jesler

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

OK I got 11 new servers with no clients, so here we go.

A little different looking interface this time, more like an OS service pack.






First question...

and we are off!!

More after the install...

 I saw one of those here today, so be on the lookout.

A Sobering Thought

Since late yesterday we have seen a marked increase in the activity of a new Sober variant doing the rounds.
A new variant of Sober named W32.Sober.AA@mm is currently being spammed out to many users around the world.
The spam can be either in English or German and uses classic social engineering techniques to trick users into opening and running the attachments.

The emails sent have the following characteristics:

Subject:
Ihr Passwort wurde geaendert!
Fehlerhafte Mailzustellung
Ihr Account wurde eingerichtet!
Your Updated Password!
Error in your eMail

Message:
Ihr Passwort wurde erfolgreich geaendert.
Ihre neuen Account-Daten und Passwort befinden sich gesichert im Anhang!

or

Diese Nachricht wurde Automatisch generiert.
- Ihre EMail konnte nicht empfangen oder gesendet werden.

or

Danke das Sie sich fuer uns entschieden haben
Um ihren neuen Account zu aktivieren, folgen sie der kurzen Anleitung im Anhang. Es sind nur 2 Schritte noetig!

or

You notified us that you have forgotten your password.
We have changed your password to a random sequence of letters and digits!
For more detailed information, see the attached password file ...

or

Your eMail has occurred an unknown error on our Server.
Please read your mail and check the text.
The full email is attached!

Attachment Names:
Passw_Data[RANDOM DIGITS].zip
PDaten[RANDOM DIGITS].zip
Mail_Data[RANDOM DIGITS].zip
Anleitung[RANDOM DIGITS].zip

The file inside the attachment is:
Winzipped_Data-Files.exe

Symantec customers have been protected since April 8, 2007 with the threat being detected as W32.Sober@mm.
Detections with Rapid Release Sequence of 67895 or greater (April 30, 2007) will detect this threat as W32.Sober.AA@mm.
Users of spam filtering will also be protected, since rules have been created to filter out these emails.

It has been a while since we last saw significant activity in this family of worms. The last named variant was back in 2005. Just like fashion, things often go out of style, only to make a come back later. Could this be the come back of Sober?

As usual, the advice is to not open email attachments from unexpected sources, even if they appear to be legitimate.

Posted by Hon Lau on April 30, 2007 05:00 AM

Source: Symantec Security Response Weblog: A Sobering Thought

EGold indicted for money laundering and illegal money transmitting
Posted by Jarno @ 06:54 GMT

---

Digital currency company E-gold has been indicted by US department of justice for suspected money laundering and illegal money transmitting. This is interesting as we have seen E-Gold, Webmoney, Western union, Fethard and other similar services being used by online criminals for quite a long time.

For example, here's a snippet from the Iframecash web site - this gang has been known to use exploits (such as WMF and ANI) to drop drive-by-installs to innocent bystanders' machines.

We have no information whether E-gold staff has been aware of misuse of their services, or whether they have been able to do anything to prevent misuse. But we sure have seen lots of criminals using E-gold.

Link to the US department of Justice press release

Source: F-Secure : News from the Lab

Job Offers That Might Get You in a LOT of Trouble

Friday April 27, 2007 at 8:48 am CST
Posted by Nick Kelly

Trackback

There has recently been an increase in the amount of money-mule recruitment e-mails offering jobs for “payment processors,” “foreign representatives,” “overseas agents,” “fund managers,” or similarly named jobs. These spam e-mails are generally very vague and offer full- or part-time “employment,” accepting payments and then passing them on to your “employer” (fraudster).

The e-mails attempt to recruit members of the public to become money launderers, acting as middle-men and accepting payments for spammed goods and other dubious financial transactions, banking the money or converting it to foreign currencies, and then passing it on to the fraudster. In exchange for receiving a percentage of the funds being transferred, typically 5 percent to 10 percent, the “employee” becomes the fall guy for the fraudster and is at risk of charges of money laundering and other criminal charges.

Spam gangs can send spam relatively anonymously using botnets and compromised PCs, but their money trail is one way that they could be traced and caught. By employing middle-men to accept payments and move the money on puts more of the risk and likelihood of getting caught onto these “employees”–while the spammers become more difficult to trace.

In some cases the fraudsters have put a lot of effort into creating authentic-looking Web sites for non-existent companies. Some include a detailed overview of the fictional company, a full job description, and terms of employment–such as the one below. This example uses the name of a legitimate company to try to trick potential “employees” into believing that the company and the job are legitimate:

Some of the recruitment mails are purposefully very vague and worded in a similar way to legitimate jobs, but all involve receiving payments and forwarding the money. A common theme for this type of spam is that the spammers require an “honest and trustworthy” person to do their money laundering! No wonder they’re finding it hard to recruit honest criminals.

Source: Computer Security Research - McAfee Avert Labs Blog

Update on the Estonian DDoS attacks
Posted by Mikko @ 06:57 GMT

---

Several of the Government websites we monitored over the weekend are still down in Estonia.

Some sites are up but are in "light-weight" mode. For example, the site of the Estonian Police has been changed to one text-only page.

Here are the Netcraft availability stats on the Estonian Government official home www.valitsus.ee. Not a pretty sight.

As the real-world riots seemed to have calmed down by now, hopefully the net attacks will too.

Source: F-Secure : News from the Lab

Unrest in Estonia
Posted by Mikko @ 13:51 GMT

---

For the past days, there's been unrest and rioting in Estonia.

Quoting CNN: "Police arrested 600 people and 96 were injured in a second night of clashes in Estonia's capital over the removal of a disputed World War Two Red Army monument ... Russia has reacted furiously to the moving of the monument ... Estonia has said the monument had become a public order menace as a focus for Estonian and Russian nationalists."

We're now seeing large attacks against websites run by Estonian goverment. Some of the sites are unreachable. Others are up, but do not allow any traffic from foreign IP addresses.

Here's the status as we saw it on Saturday at 15:00 GMT:

www.peaminister.ee (Website of the prime minister): unreachable
www.reform.ee (Party of the prime minister): reachable
www.agri.ee (Ministry of Agriculture): reachable
www.kul.ee (Ministry of Culture): reachable
www.mod.gov.ee (Ministry of Defence): reachable
www.mkm.ee (Ministry of Economic Affairs and Communications): unreachable
www.fin.ee (Ministry of Finance): reachable
www.sisemin.gov.ee (Ministry of Internal Affairs): unreachable
www.just.ee (Ministry of Justice): reachable
www.sm.ee (Ministry of Social Affairs): reachable
www.envir.ee (Ministry of the Environment): reachable
www.vm.ee (Ministry of Foreign Affairs): unreachable
www.pol.ee (Estonian Police): reachable
www.valitsus.ee (Estonian Government): unreachable
www.riigikogu.ee (Estonian Parliament): unreachable

Source: F-Secure : News from the Lab

Microsoft web site compromise and partner security

Published: 2007-04-29,
Last Updated: 2007-04-29 12:04:19 UTC
by Maarten Van Horenbeeck (Version: 1)

There’s been a lot of discussion over the last few hours regarding a Microsoft website that apparently got defaced. While the domain name has been taken offline, the defacement itself was rather obvious. Users browsing the page were shown a typical “0wn3d by” message with a picture taken of Bill Gates during what was probably his least pleasant visit to Belgium in 1998.

The affected site displayed a remotely hosted image and the attacker’s nickname:

body onload="document.body.innerHTML='/p align=center//font size=7/Own3d by Cyber-Terrorist//font//img src=http://c2000.com/gifs!/billgates.jpg//p align=center//font size=7>--Cyb3rT--//font///p/';"//noscript/

The affected site was a subpage of ieak.microsoft.com where users could select a distribution license for the Internet Explorer Administration Kit. The server isn’t, however, located on the Microsoft network, but at a hosting partner. In addition, the source of the page mentions another third party as being responsible for the site’s development.

While the brand impact of a low-level compromise like this is negligible, it does bring up some hard questions. In this day and age of increasingly popular out and co-sourcing, how do you ensure your partners are able to meet your security requirements ? Reputation is a good starting point, while supplier audit and compliance with relevant security standards can complete the picture. Both should be part of any outsourcing RFP.

After all, while this may be a small time issue, web site defacements have in the recent past often involved malicious code distribution. Being unavailable and looking a bit silly is one thing to reflect on a brand. Being involved in the distribution of a banking fraud trojan quite another.

--
Maarten Van Horenbeeck

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: April 27, 2007
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS07-021
* MS07-012

Bulletin Information:
=====================

* MS07-021

- http://www.microsoft.com/technet/security/bulletin/ms07-021.mspx
- Reason for Revision: Updated File Information Section for Windows XP Service Pack 2 and Windows Vista
- Originally posted: April 10, 2007
- Updated: April 26, 2007
- Bulletin Severity Rating: Critical
- Version: 1.1
* MS07-012

- http://www.microsoft.com/technet/security/bulletin/ms07-012.mspx
- Reason for Revision: Bulletin Updated: additional clarification addresses customers who are developing applications that
statically link to the redistributed files replaced by the Visual Studio update. Microsoft SQL Server 2000 has also been
added to the "Non-Affected Software" list.
- Originally posted: February 13, 2007
- Updated: April 26, 2007
- Bulletin Severity Rating: Important
- Version: 1.2
********************************************************************

Malware Authors Pay to Steal Your Bank Passwords

Thursday April 26, 2007 at 12:09 pm CST
Posted by Allysa Myers

Trackback

This Washington Post blog discusses a misuse that has occurred with Google’s Sponsored Links.

How it work is this: Someone searches for a term that would lead them to a list of different sites such as the Better Business Bureau. The top sponsored link appears, purporting to be the site the user is looking for. On a normal link, if someone places the mouse over the it, most browsers will indicate in the bottom left corner what the address of that site is. This is not the case with Google’s Sponsored Links. You have to trust that what appears is what it says it is, which we can see is not necessarily a good bet.

So, say a user had clicked on this Sponsored Link. It would then direct them to a malicious site which contains a script which we detect as JS/Wonka. This site has an iframe which contains a number of exploits, and which we detect with script scanning enabled as JS/Exploit-BO.gen. There are two particularly notable exploits in this lot - one for a recent QuickTime vulnerability and one for the ANI vulnerability from last month. This is one of the first instances we’ve seen of the QuickTime vulnerability being exploited. The end result of this script is that it installs a downloader, for which detection is being added as Generic Downloader.ab. This downloader then downloads a PWS-Banker trojan to steal your online banking credentials.

Whew. Everyone feeling sufficiently dizzy now?

In the past, we’ve seen looping techniques used for index hijacking in order to increase Page Rank, so that a page will show up higher in the list of returned results in Google’s search results, but Sponsored Links play by a different set of rules. To get a sponsored link, you actually have to agree to pay for your clicks. And as this link was the top sponsored link, they had to have paid more money than other sponsors.

Google has terminated the account which set up this list of sponsored links, so this is not currently functional. I wonder what the return on investment would have been in terms of cost per click versus “positive” identity theft results. Had people who clicked on the malicious link had security software in place to detect this or prevent them from having their banking information sent off, would this have been a significant money-pit for them?

Source: Computer Security Research - McAfee Avert Labs Blog

ANI to the Extreme

A few days ago, we received yet another submission containing a strange Animated Cursor file. This vulnerability made quite some noise, and though we thought it was handled by now, this file was definitely not the usual ANI exploit…

An ANI file follows the RIFF standard, with a few exceptions. It is a collection of data chunks, all having the same format of "header | size | data". Therefore, spotting malicious files attempting to exploit the vulnerability should be easy. But is it? For the human eye, it is. For a heuristic detection, in spite of what was said before, it is not. Despite the supposedly easy structure of the Animated Cursor file, Microsoft’s implementation of its parser is quite loose.

First, invalid chunks will get properly parsed. Though not affecting the ANI file itself, such chunks should not be encountered in cursor files, but the ANI parser just allows and skips them. Fair enough, our detections can handle that as well. Attackers, after a few days of ‘proper ANI files’ exploitation, realized that and started to write malicious ANI files generators containing hundreds of invalid chunks, hoping to force heuristic detections to bail out. It didn’t work.

Another ‘weakness’ in the Windows ANI parser started being exploited. Though chunks should be aligned on 2-byte boundaries, the size announced in a header – which should be an even number - can be less than the actual amount of data residing in the payload. Of course, the parser understands this…and rounds the size field to a 2-byte word before moving to the next chunk. The detections were quickly updated to handle those not-so-invalid ANI files.

The file I’m talking about pushed the parser’s looseness to its extreme. Using a particular chunk, containing another chunk in its payload, the size field of the particular chunk can be highly modified, and the file will still be properly parsed by Windows! Where’s the logic?

Additionally, the ANI file itself did not exhibit a classic malicious structure: it did not contain any shellcode. It simply exploited the vulnerability and overwrote a ~460-byte area in memory. The exploitation was done by a malicious JavaScript code located in the HTML page that referenced the ANI file. Heap-spraying the memory in IE, triggering the vulnerability in ANI…an efficient combination. Though the heap-spraying part is not new, combined with this particular ANI file, it again demonstrates the ability attackers have to invent or find alternate ways to bypass usual detections. Not to mention the ANI parser itself, loose to a point that it facilitates the attackers’ job...once again, the trade-off between convenience, usability and security.

Links:
Microsoft MS07-017 - the official ANI vulnerability patch
Trojan.Exploit.131 – malicious ANI files detection

Posted by Nicolas Falliere on April 27, 2007 05:00 AM

Source: Symantec Security Response Weblog: ANI to the Extreme

Symantec Products Information Disclosure and Buffer Overflow

Secunia Advisory:
SA25013

Release Date:
2007-04-27

Critical:

Less critical

Impact:
Exposure of sensitive information
Privilege escalation
DoS

Where:
Local system

Solution Status:
Vendor Patch

Software:
Symantec Backup Exec System Recovery 6.x
Symantec LiveState Recovery 6.x
Symantec Norton Ghost 10.x
Symantec Norton Save & Recovery 11.x
Symantec Norton Save & Recovery for Norton System Works 2007 1.x
Symantec Norton Save & Recovery Sony Euro 1.x

Description:
A vulnerability and a security issue have been reported in various Symantec products, which can be exploited by malicious, local users to disclose sensitive information, cause a DoS (Denial of Service), and gain escalated privileges.

1) Scheduled backups to remote network shares save login credentials for remote shares in the application directory with insecure permissions (read access for everyone).

2) An unspecified error can be exploited to cause a buffer overflow, which can lead to a DoS or execution of arbitrary code with SYSTEM privileges.

The vulnerability and the security issue are reported in the following products and versions:
* Norton Ghost 10.0 and 10.01
* Norton Ghost for Norton System Works 10.0
* Norton Ghost for Dell 10.0
* Norton Save & Recovery 11.0, 11.01, and 11.01B
* Norton Save & Recovery for Norton System Works 2007 1.01B
* Norton Save & Recovery Sony Euro 1.01
* LiveState Recovery 6.0, 6.01, and 6.02
* BackupExec System Recovery 6.5, 6.52, 6.52A, and 6.53

Solution:
Update to the latest version via LiveUpdate.

Provided and/or discovered by:
The vendor credits Pravus and iDefense Labs.

Original Advisory:
http://securityresponse.symantec.com/avcenter/security/Content/2007.04.26.html

Source: Symantec Products Information Disclosure and Buffer Overflow - Advisories - Secunia

Thursday, April 26, 2007 5:11 PM by MSRCTEAM

SDL Lessons learned from MS07-017

Hi everyone this is Adrian Stone.

One question that I still get regularly on the .ANI case that was part of the MS07-017 bulletin by many people outside of Microsoft is “After all the work Microsoft did leveraging the Security Development Lifecycle, why didn’t it help catch this vulnerability in Windows Vista?” Honestly, that is a fair question and one I asked myself during the investigation, as I was the program manager responsible for the case. I decided to walk down the hall from my office to ask Michael Howard myself.

Michael works on the Security Development Lifecycle (SDL) right along side the MSRC. The SDL group is a bunch of talented people who track down security issues we identify in our investigation and work to ensure that the knowledge gained from an issue goes toward making our future products more secure. The MSRC and the SDL teams work together on all the bulletins we release.

Something important to remember, and if you have ever had a chance to listen to Michael speak he often mentions, is that the Microsoft Security Response Center or any planned security response to an issue doesn’t necessarily mean that SDL is ineffective or not working. Actually, having a security response plan and the existence of the Microsoft Security Response Center is part of a healthy and robust implementation of SDL. No matter how good an implementation of an SDL is, the software will always be developed to be the most secure it can be for that point in time. Essentially, the threat landscape may change or transform in ways that one could not have accounted for and thus it will always be necessary to know which parts of the organization need to be mobilized to address the concerns and release an update.

Michael and others responsible for SDL recently launched the SDL blog and have an interesting post about the .ANI case that I think can help answer some of the questions you have posed to me about the matter. I can assure you that hearing from the SDL experts will be better than my attempts to explain the depth and comprehensiveness of the work they do. In any case, I encourage you to check out their blog.

Thanks,

-A

*This posting is provided "AS IS" with no warranties, and confers no rights.* 

Anonymous comments are disabled

Source: The Microsoft Security Response Center (MSRC) : SDL Lessons learned from MS07-017

Spam Attack: RARed Trojan

Symantec Security Response has seen an increasing number of submissions of Trojan.Peacomm and related malware arriving in emails containing password-protected RAR archives.

As with the previous Peacomm spam run, the email contains an image (a GIF file) and an attachment. The image contains a message about a patch that can be used to "remove worm files" and the password for the file attached. However, in this case, the attachment is a RAR archive.

The files inside the RAR archive are detected as Trojan.Packed.13. This detection for Trojan.Packed.13 was available in definitions dated March 22, 2007. The Trojan.Packed.13 sample drops another malicious file, which is also already detected by March 22 definitions, this time as W32.Mixor.Q@mm.

These are some of the email Subject lines being used by this wave of spam:
Trojan Alert!
Virus Alert!
Virus Detected!
Virus Alert!
Warning!
Spyware Alert!
Worm Detected!

Some sample Attachment Filenames seen are as follows (where xxxxx represents a 5 digit random number):
bugfix-xxxxx.rar
removal-xxxxx.rar
patch-xxxxx.rar
hotfix-xxxxx.rar

Security Response has also noticed a slight increase of activity in TCP port 2525, which may be related to the spamming of the threat, as port 2525 is used as an alternative SMTP port in some servers.

Symantec Security Response has received several queries regarding how to best limit the impact of the latest run of Trojan.Peacomm spam. As with any e-mail-based malware, it's best to handle tackle it at the gateway by using email filters to block the mail, for example by subject line or attachment name. Also, Symantec's Brightmail-enabled messaging products now have a rule to block this latest spam run. Since the rule was added yesterday it has successfully blocked over 1.2 million messages!
We looked into the possibility of creating a reliable detection for the encrypted RAR archives. The only possible way to detect these files is to create a signature using the file header. With RAR archives using full encryption with AES, the header is only 14 bytes in size. All other information such as filename and other attributes are encrypted. While it is technically feasible to create a detection based on the file header and the approximate size of the file, there is a high risk of false positive detections, as clean RAR files of approximately the same size would also be detected. Taking the risk of false positives into consideration, and based on the fact that there are other more effective means to block this malware, we have made the decision not to release this detection

Posted by Brian Ewell on April 25, 2007 02:00 PM

Source: Symantec Security Response Weblog: Spam Attack: RARed Trojan

Adobe Photoshop Bitmap File Handling Buffer Overflow Vulnerability

Secunia Advisory:
SA25023

Release Date:
2007-04-25

Critical:

Highly critical

Impact:
System access

Where:
From remote

Solution Status:
Unpatched

Software:
Adobe Photoshop CS2
Adobe Photoshop CS3

Description:
Marsu has reported a vulnerability in Adobe Photoshop, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an error within the handling of Bitmap files (e.g. .BMP, .DIB, .RLE) and can be exploited to cause a stack-based buffer overflow via a specially crafted Bitmap file.
Successful exploitation allows execution of arbitrary code.
The vulnerability is reported in Adobe Photoshop CS2 and CS3. Other versions may also be affected.
Solution:
Do not open untrusted Bitmap files.
Provided and/or discovered by:
Marsu
Original Advisory:
http://milw0rm.com/exploits/3793

Source: Adobe Photoshop Bitmap File Handling Buffer Overflow Vulnerability - Advisories - Secunia

Breakdown: How Does AV Software Deal With Software Exploits?

Wednesday April 25, 2007 at 1:12 pm CST
Posted by Allysa Myers

Trackback

Think of software vulnerabilities as a doughnut. The delicious sugary goodness of software (operating system, Internet browser, media player, what have you) is compromised by a hole. Things can go through that hole, but the shape of the hole doesn’t really say anything about what will happen once something is on the other side of that hole.

Antivirus software can’t detect the doughnut hole itself, as it is designed to look for Somethings, rather than Holes-in-Something. Hole-seeking is the job of vulnerability-assessment tools. Sometimes AV software can proactively detect files attempting to go through holes if the vulnerability requires these files to be malformed in a way that makes them distinctive from other files of their kind. For instance, in order to exploit a vulnerability in a media player, it may require the media file to have certain distinctive data in an area where we don’t generally see such data.

Another way that the act of trying to go through the doughnut hole can be detected is by using buffer overflow protection. Many vulnerabilities use a buffer overflow as a way to squeeze files through a software hole. This is akin to the games people play in which they overload people with a certain word, so they’ll incorrectly answer a question. (”Say milk three times.” “Milk, milk, milk.” “What do cows drink?” “Uh, milk?”) The listeners’ minds are like the buffer–if the questioner overloads them with useless information, they’ll say the wrong thing. Effectively, buffer overflow protection prevents you from incorrectly answering the question, and the malicious code does not execute. Your system will still think “milk,” but it will be prevented from giving the bogus answer.

Now, if you have no proactive detection and no buffer overflow protection, then what? What happens with these files that are exploiting the vulnerability? Malware writers these days operate in a shotgun approach. They will post or send out (via e-mail, IM, in-blog spam, etc.) dozens of files, or else they’ll post a link to a Web site that is constantly updated with new files. So what you have to detect is a moving target. Maybe we’ll get lucky and find the file is similar to something that’s already known–either an existing family of malware, or constructed in a way that’s known to be fishy. In that case, we could generically or heuristically detect it. But it’s just as likely that the malware will be something brand new and undetected. Malware writers often test their creations against AV software to make sure that this is the case, so they can maximize the amount of time that they can stay on your machine.

That’s where having a layered defense comes in handy. Check software manufacturers’ Web sites to make sure all your software is up to date, and especially make sure your AV software is regularly updated. Most software, especially AV, has automatic update capability at this point. Make sure you have a firewall, as well. None of these things alone is 100 percent impervious to a nasty zero-day threat, but taken together they can keep your odds of having a problem very, very low.

Stay tuned for the next Breakdown: What makes an e-mail or Web site “suspicious”?

Source: Computer Security Research - McAfee Avert Labs Blog

DoS extortion is no longer profitable

In the last six months of 2006 we saw a pretty sharp decline in the daily number of denial of service attacks. Although there are likely a number of factors at play here, I think there is one primary factor: denial of service extortion attacks are no longer profitable.

DoS extortion attacks are usually carried out by a bot-network owner. Using their bots, the extortionsist has to make a successful DoS attack against a target organization. Following that they have to issue the extortion request and hope the target organization pays it.

The thing is that DoS attacks are loud and risky. Whenever a bot-network owner carries out a denial of service attack they run the risk of losing some of their bots. This could happen either because an attacking computer is identified and disinfected, or if it is simply blocked by its ISP from accessing the network. Furthermore, if the bot-network owner isn’t careful they could lose their entire bot network if their command and control server is identified. Since a DoS extortionist has to carry out at least one successful DoS attack before they can even demand their pay, they run some serious overhead risks.

So what happens if the target of the attack refuses to pay? The DoS extortionist is obligated to carry out a prolonged DoS attack against them to follow through on their threats. For a DoS extortionist this is the worst scenario because they have to risk their bot network for nothing at all. Since the target has refused to pay, it is likely that they will never pay. As a consequence, the attacker has to spend time and resources on a lost cause.

It is likely that bot network owners are now moving away from DoS extortion and towards more lucrative ventures like spam. Not surprisingly, we saw a noted increase in spam volumes in the last six months of 2006.

Posted by Yazan Gable on April 26, 2007 05:00 AM

Source: Symantec Security Response Weblog: DoS extortion is no longer profitable

Network Software Inspector - BETA Program 11:52 CET on the 24th April 2007. Entry written by Thomas Kristensen.
Last December, Secunia released the Software Inspector, a revolutionary tool that changed the way users all across the globe identified missing security updates.

Since then, over 300,000 inspections has been made using the Software Inspector. Secunia has received hundreds of emails with feedback, feature requests, and suggestions, all of which were thoroughly read and taken note of. Because of these, Secunia is able to finetune and improve the Software Inspector so that it can be a better tool for computer users everywhere.

Now, Secunia is planning to release the Network Software Inspector (NSI) which basically is an expanded version of the Software Inspector geared for scanning on internal corporate networks.

Secunia would like to invite corporate users to BETA test the NSI's capabilities to detect vulnerabilities on their internal network.

The NSI is significantly different from and more accurate than other vulnerability scanning solutions:

• It can accurately identify more than 4,000 different applications
• It uses file signatures to inspect applications
• It correlates the application information with Secunia Advisories
• It checks for missing security updates
• It reports end-of-life applications
• It generates easy to read reports
• It doesn't rely on inaccurate remote vulnerability testing procedures
• It inspects hosts via the network*

*) The beta is limited to a total of three hosts.

The NSI, similar to its predecessor the Software Inspector, is also a unique and revolutionary tool - designed for internal networks. In a nutshell, it is an internal vulnerability scanner, auditing tool, and vulnerability information feeder all in one. But that summary doesn't really do it justice. The technology that the NSI uses to do these functions was fully developed by Secunia Research; hence, you won't find that kind of technology in any other product, anywhere else.

The NSI is so accurate that it identifies thousands of applications, down to their distinct version number. Its vulnerability scanning capabilities are so safe that it doesn't need to perform any penetration testing.

Because Secunia received a lot of useful feedback and suggestions for the Software Inspector after its release, we would like to encourage network administrators to sign up as beta testers for the NSI. Their feedback has helped mold the Software Inspector into a more useful, more accurate tool, and we hope the same can be said for the NSI.

"I'm confident that beta testers won't regret having spent their time trying the NSI out. This is a chance to try out what we think is one of the most useful and most distinct products to come to the IT security market in a long time", according to Jakob Balle, Development Manager.

Beta testers will be asked to download the NSI and run it on their PCs. The beta version of the NSI is fully functional, with all features installed. From thereon, beta testers are free to use the NSI to scan for vulnerable software in their internal network. There are no test scenarios, no tedious survey forms, no complex rating system. Secunia prefers to keep beta testing simple: does the NSI function correctly? Is it user-friendly? Is it an effective tool to scan for insecure versions of software in the internal network? Are its vulnerability elimination recommendations accurate?

Beta testing is also recommended for existing Secunia solution customers, as the coming official release of the NSI will be capable of coordinating with the Secunia Vulnerability Intelligence solutions to create a more comprehensive vulnerability map of a network. The NSI can automatically create profiles and add unpatched issues to the Secunia Vulnerability Intelligence solutions.

Users who are interested in signing up as beta testers can go to:
http://secunia.com/Network_Software_Inspector/


Press Contact:
Thomas Kristensen, CTO
pr@secunia.com

Phone: +45 7020 5144
Fax: +45 7020 5145

Source: Network Software Inspector - BETA Program - Blog - Secunia

CA BrightStor ARCserve Backup Media Server Multiple Buffer Overflows

Secunia Advisory:
SA24972

Release Date:
2007-04-25

Critical:

Moderately critical

Impact:
System access

Where:
From local network

Solution Status:
Vendor Patch

Software:
BrightStor ARCserve Backup 11.x
BrightStor ARCserve Backup 11.x (for Microsoft SQL Server)
BrightStor ARCserve Backup 11.x (for Windows)
BrightStor ARCserve Backup 9.x
BrightStor Enterprise Backup 10.x

CVE reference:
CVE-2007-2139 (Secunia mirror)

Description:
Some vulnerabilities have been reported in BrightStor ARCserve Backup, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerabilities are caused due to boundary errors within the SUN RPC service when processing RPC strings. These can be exploited to cause stack-based buffer overflows via specially crafted RPC strings sent to the service.

Successful exploitation allows execution of arbitrary code.

The vulnerabilities affect the following products and versions:
* BrightStor ARCserve Backup r11.5
* BrightStor ARCserve Backup r11.1
* BrightStor ARCserve Backup r11 for Windows
* BrightStor Enterprise Backup r10.5
* BrightStor ARCserve Backup v9.01
* CA Server Protection Suite r2
* CA Business Protection Suite r2
* CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2
* CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2

Solution:
Apply patches.

BrightStor ARCserve Backup r11.5 SP3 - QO87569:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO87569

BrightStor ARCserve Backup r11.5 SP2 - QO87570:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO87570

BrightStor ARCserve Backup r11.1 - QO87573:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO87573

BrightStor ARCserve Backup r11.0 - QI82917:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QI82917

BrightStor Enterprise Backup r10.5 - QO87575:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO87575

BrightStor ARCserve Backup v9.01 - QO87574:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO87574

Provided and/or discovered by:
Discovered by Tenable Network Security and reported via ZDI.

Original Advisory:
CA:
http://supportconnectw.ca.com/public/storage/infodocs/babmedser-secnotice.asp

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-07-022.html

Source: CA BrightStor ARCserve Backup Media Server Multiple Buffer Overflows - Advisories - Secunia

HP StorageWorks Command View Advanced Edition for XP Unauthorized User Account Access

Secunia Advisory:
SA25029

Release Date:
2007-04-25

Critical:

Less critical

Impact:
Exposure of sensitive information

Where:
Local system

Solution Status:
Vendor Patch

Software:
HP StorageWorks Command View Advanced Edition for XP 5.x
HP StorageWorks XP Replication Monitor 1.x
HP StorageWorks XP Replication Monitor 5.x
HP StorageWorks XP Tiered Storage Manager 1.x
HP StorageWorks XP Tiered Storage Manager 5.x

Description:
A vulnerability has been reported in HP StorageWorks Command View Advanced Edition for XP, which potentially can be exploited by malicious, local users to gain access to other users' accounts.

The vulnerability is caused due to an unspecified error within the new user registration or addition process. No further information is available.

The vulnerability reportedly affects the following products and versions:
* HP StorageWorks Command View Advanced Edition for XP v 5.0.0-00 to v 5.1.0-05 and v 5.5.0-00 to v 5.5.0-02
* HP StorageWorks XP Replication Monitor v 1.1.0-00 and v 5.0.0-00 to v 5.5.0-02
* HP StorageWorks XP Tiered Storage Manager v 1.1.0-00 and v 5.0.0-00 to v 5.5.0-01

when at least one of the following Lines/Models is installed on a single server:
* HP StorageWorks Command View Device Manager
* HP StorageWorks Command View Global Link Availability Manager
* HP StorageWorks Command View Replication Monitor
* HP StorageWorks Command View Tiered Storage Manager
* HP StorageWorks Command View Tuning Manager

Solution:
Apply updates.
http://welcome.hp.com/country/us/en/support.html?pageDisplay=drivers

HP StorageWorks Command View Advanced Edition for XP:
* Install v 5.6.0-01 or subsequent

HP StorageWorks XP Replication Monitor:
* Install v 5.6.0-01 or subsequent

HP StorageWorks XP Tiered Storage Manager:
* Install v 5.5.0-02 or subsequent

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
HPSBST02200 SSRT071330:
http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBST02200

Source: HP StorageWorks Command View Advanced Edition for XP Unauthorized User Account Access - Advisories - Secunia

Apple QuickTime Java Handling Unspecified Code Execution

Published: 2007-04-24,
Last Updated: 2007-04-24 21:54:43 UTC
by Deborah Hale (Version: 1)

Secunia Advisory: SA25011
Secunia has posted an advisory today that involves Apple Quicktime Java. According to the advisory this is a highly critical problem that affects versions 3.x, 4.x, 5.x, 6.x and 7.x. The vulnerability is due to an unspecified error within the Java handling in QuickTime. This can be exploited allowing execution of arbitrary code when a user visits a malicious web site using a Java-enabled browser e.g. Safari or Firefox.
For more information see:
secunia.com/advisories/25011/

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Microsoft Office Exploit

Published: 2007-04-24,
Last Updated: 2007-04-24 16:18:55 UTC
by Deborah Hale (Version: 1)

On Monday in an article in USA Today the title reads “Cyberspies exploit Microsoft Office”. The article states that the CyberSpies have tainted Microsoft Office files and are emailing them to specific organizations in hopes that the unsuspecting employee will open the attachment, infect their computer thus opening a hole which the attacker can then use to explore in the infected network and look for trade secrets, military secrets, passwords, etc. MessageLabs in an interview with USA Today said that it has intercepted assaults coming from Taiwan and China since November 2006. It appears that the targets are Federal Agencies, Defense and Nuclear contractors.

In a quote from the article, our own Alan Paller at Sans Institute says:

“Assaults are coming from China and perhaps other countries in the hunt for military, trade and infrastructure intelligence, says Alan Paller, research director at The SANS Institute, a security think tank. The goal: strategic advantage over the USA. "The attacks are working," says Paller. "Penetrations are deep and broad."

For more information and to read the article:

www.usatoday.com/tech/news/computersecurity/2007-04-22-cyberspies-microsoft-office_N.htm

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Yep it is, and it seems like the domain was created for the sole purpose of hosting malware.

A quick look on our malicious URL records shows 97725.com provides malicious downloads for malwares such as PE_LOOKED, TSPY_LEGMIR, TROJ_MULDROP, TSPY_QQPASS, TSPY_WOW, and the most recent Microsoft exploit that hit it big - EXPL_ANIGEN.

The said domain is hosted in China (not suprising) and most of the malwares that download or can be downloaded from 97725.com are all related to online game stealing.
One interesting anti - URL Blocking technique used by the malicious author/s is the use of subdomains. 123.97725.com, down.97725.com, and www.97725.com are the subdomains related to 97725.com discovered by Trend. As of writing, the domain 97725.com is being added to the URL Web Blocking list.

We advise network administrators and IT personnel to check for connection attempts to 97725.com as it could signify an infected computer in the network.

Source: 97725.com is hosting malware! -  TrendLabs | Malware Blog - by Trend Micro

Fake Security Website Downloads Rogue Application

April 24th, 2007 by Trend Micro

We’ve just spotted another “security website” that offers to aid users in getting rid of spyware plaguing their systems. In reality however, this website does nothing but trick the user into installing an adware application into their system.

Although the website doesn’t automatically download the rogue application, it does a fairly good job of tricking the user to download for themselves.
Similar to the numerous ZLOB-carrying codec websites that proliferated during 2006, this one plays on the unsuspecting user’s gullibility regarding security applications. Click on any of the download links and the file malwarealarmsetup.exe is downloaded on your system. When this file is executed, it displays the usual dialog boxes being used by the usual installation package for legitimate applications, even displaying the standard EULA text.

An appropriate solution for this threat is already underway and it is to be detected as ADW_SPYSHERIF.BG. As a word of caution, do not download or install anything that this website offers.

Source: Fake Security Website Downloads Rogue Application -  TrendLabs | Malware Blog - by Trend Micro

Windows Mobile 6, File Encryption and Incident Response

With the advent of Windows Mobile 6 came a file system filter driver for encrypting data on Secure Digital (SD) cards, which are frequently used to store sensitive data. Previously, to gain access to users' data, an attacker could simply steal their SD card. Breaking the device's PIN protection was completely unnecessary.

In order to protect users and enterprises alike, Microsoft implemented on-device encryption for SD cards. The down side, however, is that the master key used for this encryption is non-persistent between hard resets. There is currently no escrow mechanism, which is clearly stated by Microsoft: [1]

There isn't any key escrow or recovery in this release. We realize this is very important to many enterprise customers. Feel free to add your comments about how important this is to your organization as it helps us prioritize the work for the future. If you don't want key escrow, that would also be good to hear.

As a result, if a device undergoes a hard reset, nobody will be able to recover the encrypted documents from the storage card.

Also noted by Microsoft [1] is that, when a file is encrypted on a storage card, its filename is modified. This can be useful in identifying such files to people performing incident response. The format used for encrypted files is [filename].[extension].[GUID].menc. The .menc extension tells the Windows Mobile device that it's an encrypted file and the [GUID] represents the encryption key on the device.

The implementation relies on a master key that by default is stored under the \Windows\ directory (\Windows\System\default.mky). Anyone who has to respond to incidents involving Windows Mobile 6 devices and wants any chance of decrypting files held on SD cards (and who doesn't have a spare Cray in the office) should ensure that they grab copies of the master keys.

[1] Windows Mobile 6 Storage Card Encryption FAQ
http://blogs.msdn.com/windowsmobile/archive/2007/03/26/windows-mobile-6-storage-card-encryption-faq.aspx

Posted by Ollie Whitehouse on April 24, 2007 05:00 AM

Source: Symantec Security Response Weblog: Windows Mobile 6, File Encryption and Incident Response

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc