Chris Mosby at myITforum.com

Spam Excel(s)

July 23rd, 2007 by Miray Lozada

Spammers are Excel-ing, literally. Text and image spam as PDF files are now old news as MS Excel enters the spam scene. Last July 22, Trend Micro researchers started noticing email messages that carry ZIP-packed Excel files. When opened, these Excel files stink of pump-and-dump schemes that spam mails are now notorious for. See images below:

Email

Zip Archive

Excel File

Using ZIP as carrier of malicious files is already a known routine of many malware families like WORM_BAGLE and TROJ_YABE. Using ZIP as carrier or as part of a spam scheme, however, is quite new and may be a social engineering tactic more than anything else. The fact that the email arrives as an Excel file packed in ZIP may have more to do with an attempt to lend credence to a stock-related email at a time when authorities are seriously running after pump-and-dump spammers. That the spammer chose Excel, an application usually associated with accounting ergo money, may not be a coincidence as well.

Spam Excel(s) now and it is not far off the mark that it Word(s) and PowerPoint(s) in the future…and Photoshop(s) and Outlook(s) and ….

Source: Spam Excel(s) - TrendLabs | Malware Blog - by Trend Micro

Funny.zip
Posted by Mikko @ 12:27 GMT

---

There's a fairly large seeding of Trojan-Downloader.Win32.Agent.brk going on.

The emails that are sent typically contain funny.zip as the attachment.

Email subjects vary but are typically "spammy" in nature:

  Action for pleasure
  Life is good!
  life is beautiful!
  Double energy
  Paradice in your bed
  View this price
  Return sunrise to your life!
  You can be young again!
  Paradice in your bed

We had detection for this particular malware already out before the spamming really began in large scale.

Source: F-Secure : News from the Lab

I already have one of these (if i could just get a damn battery!!), but for the rest of you...

Blog@Newsarama » ‘Beware my power … Green Lantern’s light!’

‘Beware my power … Green Lantern’s light!’

Monday July 23, 2007, 7:53 am

Make your own Green Lantern ring

Are you itching for your own Green Lantern replica ring, but unwilling to shell out $90 for it? Well, itch no more. The good folks at Instructables provide a step-by-step explanation of how to make a resin-cast Green Lantern ring — including a glow-in-the-dark version.

(Via Neatorama)

New Trend in Attacking the Java Runtime Environment?

Attacks targeting vulnerabilities in the Java Runtime Environment are anything but new. Several researchers have previously visited this topic and the results have been some fantastic research. However, in recent weeks the DeepSight Threat Analyst Team has been investigating several Java issues resulting from a notable increase in vulnerabilities reported affecting the Java Runtime Environment and its associated components.

The threat landscape has seen a dramatic increase in attacks targeting client-side vulnerabilities in recent years. Vulnerabilities have been exposed in a variety of applications including media players, Web browsers, ActiveX controls and mail clients, to name just a few. The ubiquitous nature of the Java Runtime Environment makes it a prime candidate for attackers. With this in mind, it is not surprising to see much of the preliminary research into exploitation of environments like the Java Virtual Machine manifest itself both in recently disclosed vulnerabilities and the consequent exploitation of these issues “in the wild.” This research has likely been (or will be) exacerbated by the fact that portions of Java are now open-source.

On January 16, 2007, Sun Microsystems published a vulnerability in the Java Runtime Environment which was submitted to the Zero Day Initiative in December 2006. The issue is a heap-corruption vulnerability which can be triggered when parsing a GIF image with a width attribute of 0 (Sun Java Runtime Environment GIF Images Buffer Overflow Vulnerability). On June 26, 2007, a DeepSight honeypot was compromised by a malicious Web site targeting this vulnerability (among several others). Although several vulnerabilities in the Java Runtime Environment have been disclosed previously, the DeepSight Threat Analyst Team had witnessed very few cases of exploitation of these vulnerabilities in the wild, making this a notable event.

Coincidently on July 3, 2007, another heap-corruption flaw related to image parsing in the Java Runtime Environment was disclosed (Sun JDK JPG/BMP Parser Multiple Vulnerabilities). This issue was due to insufficient validation when parsing ICC profiles (a cross-platform way to describe color spaces for displaying images). On July 9, 2007, eEye disclosed a trivially exploitable stack-overflow when parsing JNLP files (Sun Java Runtime Environment WebStart JNLP Stack Buffer Overflow Vulnerability). This vulnerability is due to a lack of bounds checking when parsing the codebase parameter. This sudden influx of high-profile JRE vulnerabilities provides some interesting insight into the current state of Java security. These issues suggest a shift (or at least an increase in disclosure) to more contemporary research targeting the Java Runtime Environment.

Perhaps one of the most interesting points regarding vulnerabilities in the Java Runtime Environment is the advantage inadvertently provided for attackers to leverage these vulnerabilities. First and foremost are Java Applets, which provide an excellent delivery vehicle for vulnerabilities affecting the Java Runtime Environment. Applets make it easy for exploits targeting JRE’s to be delivered via malicious Web sites as “drive-by” attacks. Applets can easily be hidden via an iframe or scaled down in size and placed in an inconspicuous portion of the Web site, making them difficult to notice.

Second, due to the way Java allocates heap-memory, scenarios where the attacker can repeatedly “spray” the heap with a nop sled and associated payload across a large portion of memory can be used to add reliability to an exploit. This technique was initially pioneered by Skylined for use in JavaScript when targeting browser vulnerabilities, but similar techniques have since proven useful inside the JRE as well (see JvmGifVulPoc.java). Additionally, by returning to the heap (particularly in the case of stack-overflow vulnerabilities), an attacker is able to circumvent many of the security mechanisms provided by Windows XP SP2 (DEP and SafeSEH). The ability to reliably bypass these security mechanisms makes the exploitation of these vulnerabilities even more enticing.

The solution for mitigating these types of attacks is the old standard. First and foremost, ensure that Java is kept up to date with the most recently available patches, along with IPS/IDS signatures. Whenever browsing an untrusted Web site, do so with caution and avoid enabling Java, JavaScript or other types of active content whenever they are unnecessary (for Firefox users there is a great extension called NoScript that makes this process very easy).

Research into flaws affecting the Java Runtime Environment is not a new topic; however, the use of these issues in the wild is beginning to become a reality. The effectiveness of attack toolkits like MPack reiterates the dangers associated with client-side vulnerabilities. Due to the intrinsic complexities associated with file format parsers, it is unlikely that these types of bugs will be hunted into extinction anytime soon; a class of vulnerability of which Java appears to be anything but exempt.

Coincidentally, recently we have seen the disclosure of three high-profile vulnerabilities in the Microsoft .Net Framework. Two of these are of particular interest, the Microsoft .Net Framework PE Loader Remote Buffer Overflow Vulnerability and the Microsoft .Net Framework JIT Compiler Remote Buffer Overflow Vulnerability which are very reminiscent of the types of bugs disclosed in the Java Runtime Environment, suggesting that the race to find these types of vulnerabilities in .Net is on.

Posted by Darren Kemp on July 23, 2007 05:00 AM

Source: Symantec Security Response Weblog: New Trend in Attacking the Java Runtime Environment?

 This is getting bad, I get several of these a day that slip past my usual spam controls.

Recent change in Stock-Spam Tactics (PDF and excel)

Published: 2007-07-22,
Last Updated: 2007-07-22 19:14:00 UTC
by Kevin Liston (Version: 1)

It started nearly a month ago, a shift from image-based spam to spams containing PDF files.

I'm sure that you've seen these in your mailbox, the shift over to PDF was effective in evading spam-filters.  You have also likely noted their shift in tactics from a simple text message in the PDF over to encoded images in the PDF (to foil pdf2text-like tools, I presume.)

I would have thought that this shift would have had an impact on the efficacy of the scheme.  "Certainly people won't open unsolicited PDF files," I thought.  Based on the number of submissions past month asking if these were PDF-exploit attempts I felt that this shift would have had some impact on the success of this type of scheme.

In January, I performed an unscientific experiment monitoring the impact of Pump and Dump schemes on the targeted companies.  My hypothesis was that Pump and Dump schemes have an overall negative impact on the company who's symbol was targeted.  I was unable to prove this hypothesis, the stock price quickly returns to normal three to four weeks after an event (in the population of stocks that I tracked in the first quarter of 2007, that is.)

This morning I did a bit of comparison with symbols identified in the few PDF files that I had left in my mailbox.  Looking at this small sample it seems that these schemes are just as effective in manipulating the stock price as text-only and image-based spam messages.

The consequence of this is that there exists a large population of people with a fair amount of assets in the stock market that willingly open up unsolicited PDF files.  This makes for a concerning scenario when a arbitrary-code-execution vulnerability is identified in popular PDF readers.

A reader submitted a report that they were receiving a large number of spam messages consisting of an Excel file.  Examination of this file showed that it contained a Pump and Dump message.  This could serve as an indicator of another shift if tactics.  The VERY interesting part is that the formatting of this Excel file is extremely similar to the first PDF version reported by Maarten.  This group appears to target German stock market.  I look forward to US penny-stock schemes to employ this technique shortly.  I'm similarly concerned about the number of people who will open unsolicited Excel files too.

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Security Cost of Social Computing

Friday July 20, 2007 at 8:37 am CST
Posted by Nishad Herath

Trackback

As recently as five years ago, most of us probably communicated electronically only through either e-mail or phone. If someone wanted to pry into these communications, they had to tap our phones, steal our phone records or hack our e-mail accounts. But today, we voluntarily leave bits and pieces of our personal lives scattered all over the Internet. From elaborate profiles on social networking sites (such as Facebook, which, for example, has experienced a growth explosion in Australia as of late) to innocuous comments on personal blogs of others, we publish our likes and dislikes, our affiliations, political views and even our day to day routine for pretty much the whole world to see. In fact, younger Internet users appear to be leading the way. And it’s not all just play either. We increasingly rely on sites like Seek, monster.com and LinkedIn to advance our careers as well. These days, not only do we seem to leave a part of our digital personality wherever we spend a lot of time online, but we also seem to bundle a much greater part of our lives into this digital personality.

Now, is it too much of a stretch to imagine digital identity thieves and other fraudsters working hard, even as we speak, using the awesome power of modern search engines to put together these various online clues to piece the puzzle that is the digital you? I think not! I believe that this is already happening on a wider scale than any of us would like to believe. We’ve made it easier for anyone to discover who we are and increased their chances to get acquainted with us, no matter where in the world they are. Especially with social networking sites and online dating sites, shady characters could easily work their way into our trust gradually, starting off as a “friend of a friend of a friend” or a potential love interest. From the stories I’ve heard, this seems to be taking place a lot more than I would have considered to be the case.

To compound the issue, online services are becoming extremely complex. With a diverse set of functionalities and the ability to “host applications” or mash-ups, these online platforms are getting as complex as operating systems themselves. What does this all mean? Well, it means that online service are increasingly becoming exposed to various attacks like Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF) not to mention the oldest trick in the book - social engineering. Unfortunately, traditional anti-virus software, personal firewalls or host-based intrusion prevention products sometimes are not very well suited to address some of these threats at present.

Our online world is changing and it’s changing fast. With the explosion of exciting new possibilities also come a set of unfamiliar risks. So what do we do? Do we curb our enthusiasm and say no to progress? Not at all. Fear is hardly the solution. All we have to do is to be a bit more proactive about our online security. Make sure we educate ourselves on the latest threats. Think twice about what personal information we share online and with whom. If you happen to notice something “fishy” going on, please notify someone who could look into that. While the security industry is moving fast, innovating new technology to provide better protection, you are still the single most important contributor to online security; both yours and ours that is.

Be safe and have a great social computing experience!

Source: Computer Security Research - McAfee Avert Labs Blog

The Nduja Job: Into The World Of XSS Worms

Thursday July 19, 2007 at 1:40 pm CST
Posted by Rahul Mohandas

Trackback

Cross-site scripting (XSS) is as a type of vulnerability typically found in web applications, which allows code injection by malicious web users into the web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.

One of the older stories of XSS worms dates back to 2002, where there were claims of XSS flaws in hotmail which could be exploited to broadcast e-mail to all the people in the address book of the infected user. Last year there was a surge in worms targeting websites with XSS flaws like Samy and Yamanner.

With the advent of many popular websites that post XSS cheat sheets online and its constant updates could make the hackers cognizant of the XSS filters and the possible ways of evading them. To add to the woes are “Javascript XSS Scanners” which are automated tools for finding cross-site scripting vulnerabilities in web pages.

XSS worms are becoming more and more sophisticated. Lately there’s been a lot of attention on this POC worm which goes by the name Nduja. The worm spreads by exploiting cross-site scripting vulnerabilities in 4 leading webmail providers.

The life cycle of Nduja worm is similar to a classic e-mail worm and is capable of:

1. Harvest e-mails present in the Inbox.
2. Collecting the contacts email addresses from address book.
3. Self Propagate to the contacts.

Recent advancement towards this side is the creation of a hybrid worm which involves client side and server side component. The technology uses XSS tunneling. Portcullis Computer Security have published a whitepaper describing in detail about XSS tunneling. A typical attack scenario (also described in the paper) is as follows:

1. An attacker infects a website with a persistent or reflected (temporary) XSS attack which calls remote XSS Shell JavaScript.
2. The Victim follows a link or visits the page and executes the JavaScript within that domain.
3. The Victim’s browser begins to perform periodic requests to the XSS Shell Server and looks for new commands.
4. When the victim browser receives a new command such as it is processed and returns the results to the XSS Shell.
5. The Attacker can push new commands to victim(s) browser and view the results from the XSS Shell administration interface.

Could this technology transform into a XSS based botnet? Keep your eyes peeled on this space while we will keep you posted with updates as it happens.

Source: Computer Security Research - McAfee Avert Labs Blog

Web is the way to go?

Published: 2007-07-20,
Last Updated: 2007-07-20 03:03:36 UTC
by Jason Lam (Version: 1)

We have all seen the recent web related incidents such as Mpack that leverages compromised web sites. These tactics are gaining popularity in malware distribution. Web technologies have been advancing at sonic speed everyday, new technologies such as Web 2.0 mashup are getting attention from everybody. If not carefully deployed, these technologies will bite us back.

Some of the traditional (old school) security folks still thinks, if I patch all the vulnerabilities according to advisories released by the vendor, I would be safe. As we get more and more 0-day vulns with OSes and related software packages, this practice not acceptable anymore. On the web application front, this is totally unsafe. If you developed your own web application, no vendor will knock on your door to get the application fixed.

Some people may like to think the custom code written would be hard to mass-exploit (using a worm) and therefore unlikely to be attacked. The truth is - scanning for vulnerability (at least the common ones) is not difficult at all. Use XSS Assistant as example, it leverages Greasemonkey which is an add-on to Firefox, as you are surfing, you can click a few times and it will be able to tell you whether a site is vulnerable to Cross Site Scripting. Locating the vulnerability may be the easy part but exploiting it isn't hard either, there is exploitation framework like BeEF that can assist in creating damaging exploits. And that's just for XSS only, the other web related vulnerabilities are all getting their share of tools to ease attack process.

A few persistent people might still think web site compromised, no big deal, just web site getting defaced.... Wrong! There is a whole lot more than that when a web site get compromised, deploying malware distribution point like Mpack is one possibility but it could easily cause a serious threat to the overall network security as well. SQL injection, in its more serious form can easily get binaries and executables onto the database server and start running malicious code, how does running nmap from your database server sound to you? If that is all too theoretical to you. Take a look at these reverse shell designed to run on web server yielding a command shell back to the attacker. Once the attacker can upload the code or remotely include those code into the running web applications, they can get a command shell on your web server.

The reverse shell technique is a lot like the traditional infrastructure type of attack where an initial exploit is used to get a shell back to the attacker. The major changes here is web applications are used as the medium instead of OS or other software packages. If your application security practice is not as good as some of the large software manufacturers, it might be cause of concern.

Does your current incident handling plan include scenarios of compromised web applications? If not, I suggest you look at it seriously.

If you want to learn more about web attack techniques, SANS offers  Web Application Security Workshop, Breaking Web Applications and AJAX and Web Services Security Overview.

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

********************************************************************
Title: Microsoft Security Bulletin Minor Revision
Issued: July 19, 2007
********************************************************************

Summary
=======
The following bulletin has undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS07-040 - Critical

Bulletin Information:
=====================

* MS07-040 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx
- Reason for Revision: Bulletin Updated: Corrected KB933854 file manifest table for .NET Framework 1.1 on supported versions of Windows Server 2003. The Bulletin has also been updated providing an additional link to the main Bulletin Knowledge Base Article which will document all non-security functionality changes introduced in this .NET Framework security update.
- Originally posted: July 10, 2007
- Updated: July 19, 2007
- Bulletin Severity Rating: Critical
- Version: 1.2

Microsoft Patch support not Free?

Published: 2007-07-15,
Last Updated: 2007-07-18 09:43:31 UTC
by Swa Frantzen (Version: 2)

Update: We got the following statement from Microsoft.

We are aware that some customers have expressed confusion about whether Microsoft provides no-charge support for issues related to security updates. Microsoft has provided no-charge support for issues related to security updates and viruses for several years and there has been no change to that policy.

If a customer believes they're experiencing a security or virus related issue they may contact Microsoft directly for support using the country specific numbers provided at support.microsoft.com/security. In North America, customers can call 1-866-PCSAFETY for this support.

To help improve the customer experience, Microsoft has recently made changes to the PC Safety line in order to ensure customers are connected directly to a PC Safety agent, at no charge, when they dial the PC Safety line.

If customers feel that they have been inappropriately charged for a security or virus related issue they should contact: 1-800-Microsoft.

We got reactions to some of our previous stories that some of the patch support relating to the recently released patches was not being offered for free in reality.  We are being assured by our Microsoft contacts that it is indeed intended to be free, and that they are willing to work with us to find out what went wrong.

So if you want to participate in a little study together with Microsoft, let us know what you tried that they (tried to) make you pay for and add in your contact details such as telephone numbers to be shared privately with our Microsoft contacts.

More anonymous reactions can go to the new poll, but we're looking for a few cases that are usable to find out where it goes wrong.

--
Swa Frantzen -- NET2S

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

New Version of FireFox

Published: 2007-07-18,
Last Updated: 2007-07-18 05:46:09 UTC
by Scott Fendley (Version: 1)

Earlier today, Mozilla Firefox 2.0.0.5 was released which has a number of bug fixes including a couple of privacy related bugs and a few security related ones.

Mozilla's Forum show many of the details of these fixes for those that would like to peruse until the release notes are updated.  You can download the newest version from mozilla.com or through its automated update facility.

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Microsoft Patch support not Free?

Published: 2007-07-15,
Last Updated: 2007-07-15 16:47:42 UTC
by Swa Frantzen (Version: 1)

We got reactions to some of our previous stories that some of the patch support relating to the recently released patches was not being offered for free in reality.  We are being assured by our Microsoft contacts that it is indeed intended to be free, and that they are willing to work with us to find out what went wrong.

So if you want to participate in a little study together with Microsoft, let us know what you tried that they (tried to) make you pay for and add in your contact details such as telephone numbers to be shared privately with our Microsoft contacts.

More anonymous reactions can go to the new poll, but we're looking for a few cases that are usable to find out where it goes wrong.

--
Swa Frantzen -- NET2S

SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Patch your Flash Player and Java Runtime Environment *NOW*
Posted by SGMasood @ 21:59 GMT

---

Adobe and Sun have released patches today for several critical vulnerabilities that affect their respective Flash Player and Java Runtime Environment. Many of these vulnerabilities can be exploited to execute arbitrary code on victims' computers just by making them access a malicious URL using any application that invokes Flash Player or JRE. In English, this means that you can get hacked just by viewing a webpage that contains malicious Flash or Java content.

Many of the vulnerabilities are cross-platform, and between them, they have most OS-browser combinations covered. You are vulnerable until you install the patches. Read the advisories from the vendors and grab the patches here and here.

There are no reported in-the-wild exploits yet, but we might see some soon as enough technical information required to build an exploit has been released publicly for atleast a few of these vulnerabilities.

F-Secure : News from the Lab

Java Run Time Advisory Issued

Published: 2007-07-13,
Last Updated: 2007-07-13 16:44:38 UTC
by Deborah Hale (Version: 1)

According to an article on line at ZDNet there is yet another potential problem with Java. 

news.zdnet.com/2100-1009_22-6196493.html

Australia's Computer Emergency Response Team analyst, Robert Lowe, warned that anyone using the Java Runtime Environment or Java Development Kit is at risk.

www.auscert.org.au/render.html

This flaw may have an impact on PDA's and mobile phones as well as PC's.  Because Java is browser independent it has potential to impact many, many devices.  It is recommended that you patch all java devices as soon as possible.

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

QuickTime Update Equals Update QuickTime
Posted by Sean @ 15:33 GMT

---

Apple released QuickTime version 7.2 yesterday. The update includes eight important security fixes in which viewing a maliciously crafted H.264 movie/movie/.m4v/SMIL file or visiting a malicious Webster may lead to arbitrary code execution. Apple's Webster has additional details.

The QuickTime update is available from Apple's Software Download for both Mac OS X and Windows. If you have iTunes or Apple Software Update installed, then you can just install iTunes 7.3.1 and QuickTime 7.2 will be included. If you only have QuickTime installed, perhaps on a corporate network, then you'll need to manually download the update.

It's important to update. Why? Because of stuff like MPack.

MPack is a PHP based malware kit that's sold as if it were commercial software. It includes updates, support, and additional modules can be purchased. It's very successful at the moment.

The kit uses compromised passwords to hack web servers and to insert an IFrame. If you visit a web page with such an IFrame, MPack's PHP script will be run and it will attempt to infect your computer. The PHP script is structured so that OS and browser versions are identified. The IFrame redirects to other PHP scripts depending on the details. These various scripts are easily updated by MPack's authors. Among the list of exploits it tries is one for QuickTime.

This new update may fix some of the QuickTime flaws known to malware authors. And it may also tip them off to new exploits. Apple's iTunes and therefore QuickTime is a very popular application. If everyone updates sooner than later it will shorten the window of opportunity for the bad guys. Patch your applications as well as your operating system.

Source: F-Secure : News from the Lab