September 2007 - Posts

 

Apple iPhone Multiple Vulnerabilities
Advisory Available in Danish Advisory Available in German

Secunia Advisory:
SA26983

Release Date:
2007-09-28

Critical:

Moderately critical

Impact:
Hijacking
Security Bypass
Cross Site Scripting
Exposure of sensitive information
DoS
System access

Where:
From remote

Solution Status:
Vendor Patch

OS:
Apple iPhone 1.x

CVE reference:
CVE-2007-3753 (Secunia mirror)
CVE-2007-3754 (Secunia mirror)
CVE-2007-3755 (Secunia mirror)
CVE-2007-3756 (Secunia mirror)
CVE-2007-3757 (Secunia mirror)
CVE-2007-3758 (Secunia mirror)
CVE-2007-3759 (Secunia mirror)
CVE-2007-3760 (Secunia mirror)
CVE-2007-3761 (Secunia mirror)
CVE-2007-4671 (Secunia mirror)

Description:
Some vulnerabilities, security issues, and a weakness have been reported in the Apple iPhone, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), or to compromise a vulnerable system.

1) An input validation error when handling SDP (Service Discovery Protocol) packets exists in the iPhone's Bluetooth server. This can be exploited by an attacker in Bluetooth range to cause the application to crash or to execute arbitrary code by sending specially crafted SDP packets.

Successful exploitation requires that Bluetooth is enabled.

2) The problem is that users are not notified about changes of mail servers' identities when Mail is configured to use SSL for incoming and outgoing connections. This can be exploited e.g. to impersonate the user's mail server and obtain the user's email credentials.

Successful exploitation requires a MitM (Man-in-the-Middle) attack.

3) It is possible to cause the iPhone to call a phone number without user confirmation by enticing a user to follow a "tel:" link in a mail message.

4) An error in Safari in the handling of new browser windows can be exploited to disclose the URL of an unrelated page.

For more information see vulnerability #2 in:
SA23893

5) An error in Safari in the handling of "tel:" links can be exploited to cause the iPhone to dial a different number than the one being displayed in the confirmation dialog. Exiting Safari during the confirmation process may result in unintentional confirmation.

6) An error in Safari can be exploited to set Javascript window properties of pages served from other websites when a malicious web site is viewed.

7) Disabling Javascript in Safari does not take effect until Safari is restarted.

8) An error in Safari allows a malicious website to bypass the same-origin policy using "frame" tags. This can be exploited to execute Javascript code in the context of another site when a user visits a malicious web page.

9) An error in Safari allows Javascript events to be associated with the wrong frame. This can be exploited to execute Javascript code in context of another site when a user visits a malicious web page.

10) An error in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. This can be exploited to execute Javascript code in context of HTTPS web pages in that domain when a user visits a malicious web page.

Solution:
Update to version 1.1.1 (downloadable and installable via iTunes).

Provided and/or discovered by:
The vendor credits:
1) Kevin Mahaffey and John Hering of Flexilis Mobile Security
3) Andi Baritchi, McAfee
4) Michal Zalewski, Google Inc. and Secunia Research
5) Billy Hoffman and Bryan Sullivan of HP Security Labs (formerly SPI Labs) and Eduardo Tang
6, 8) Michal Zalewski, Google Inc.
10) Keigo Yamazaki of LAC Co., Ltd.

Original Advisory:
http://docs.info.apple.com/article.html?artnum=306586

Other References:
SA23893:
http://secunia.com/advisories/23893/

Source: Apple iPhone Multiple Vulnerabilities - Advisories - Secunia

 

Internet Explorer "OnKeyDown" Event Focus Weakness
Advisory Available in Danish Advisory Available in German

Secunia Advisory:
SA27007

Release Date:
2007-09-28

Critical:

Not critical

Impact:
Exposure of sensitive information

Where:
From remote

Solution Status:
Unpatched

Software:
Microsoft Internet Explorer 6.x

Description:
Ronald van den Heetkamp has discovered a weakness in Internet Explorer, which potentially can be exploited by malicious people to disclose sensitive information.
For more information:
SA25904
The weakness is confirmed in Internet Explorer 6.0 on a fully-patched Windows XP SP2 system. Other versions may also be affected.
Solution:
Disable Active Scripting support.
Do not enter suspicious text when visiting untrusted web sites.
Provided and/or discovered by:
Ronald van den Heetkamp
Original Advisory:
http://www.0x000000.com/index.php?i=437
Other References:
SA25904:
http://secunia.com/advisories/25904/

Source: Internet Explorer "OnKeyDown" Event Focus Weakness - Advisories - Secunia

Now this is funny! 

“Avert Labs Darwin Award” Nomination

Thursday September 27, 2007 at 4:29 pm CST
Posted by Hiep Dang

Trackback

This article literally made me laugh out loud, so I had to write about it.

I hope you’ve heard of the Darwin Awards. This would be my nomination for the Avert Labs Darwin Award (if we had such an award).

Evidently, a company called WorkSpace had a batch of their Apple computers stolen from their office. One of these computers had an application installed called Flickrbooth, which has the ability to automatically take snapshots with a webcam and upload them to a designated Flickr account.

Well, a few days ago, they discovered pictures of the new “owner” of their computers on their Flickr account. I present to you the face of today’s modern cybercriminal:

I guess this is a low-cost way of Lo-jacking your computer. :-)

Source: Computer Security Research - McAfee Avert Labs Blog

 

Cyber Security Awareness Month - Daily Topics

Published: 2007-09-28,
Last Updated: 2007-09-28 01:25:52 UTC
by Marcus Sachs (Version: 1)

October is Cyber Security Awareness Month and the Internet Storm Center is going to focus on one security awareness subject per day.  We plan to provide useful information for information security professionals who want to educate their users but do not have a ready set of awareness tips. 

We asked for your ideas and boy did you have some good ones. To all of our readers who sent in hundreds of ideas over the past two weeks, thanks very much!  It took a bit of work but I think we've got about 95% of the topic suggestions covered.  Below is the list of topics by week and day that we will use them in October.  As you'll see, the first week focuses on tips for getting the message out to your users.  Subsequent weeks focus on specific topics.

We need your help beginning this weekend and continuing through the month of October.  If you would like to submit a tip, please use our contact form and be sure to put something in the subject like "Security Tip, day 15" to make it easier for us to sort them.  Keep your tips brief and to the point, also remember that the audience is the end user, not your sysadmins or netops geeks.

1. Establishing a User Awareness Training Program
  1 Penetrating the "This Does Not Apply To Me" Attitude
  2 Multimedia Tools, Online Training, and Useful Websites
  3 Getting the Boss Involved
  4 Enabling the Road Warrior
  5 Social Engineering and Dumpster Diving Awareness
  6 Developing and Distributing Infosec Policies
2. Best Practices
  7 Host-based Firewalls and Filtering
  8 Anti-Virus, Anti-Spyware, and Other Protective Software
  9 Access Controls, Including Wireless, Modems, VPNs, and Physical Access
 10 Authentication Mechanisms (Passwords, Tokens, Biometrics, Kerberos, NTLM, Radius)
 11 File System Backups
 12 Managing and Understanding Logs on the Desktop or Laptop (AV, Firewall, or System Logs)
 13 Patching and Updates
3. Hardware/Software Lockdown
 14 Data Encryption
 15 Protecting Laptops
 16 Protecting Portable Media like USB Keys, iPods, PDAs, and Mobile Phones
 17 Windows XP/Vista Tips
 18 Mac Tips
 19 Linux Tips
 20 Software Authenticity (Digital Signatures, MD5, etc.)
4. Safe Internet Use
 21 Understanding Online Threats, Phishing, Fraud, Keystroke Loggers
 22 Detecting and Avoiding Bots and Zombies
 23 Using Browsers, SSL, Domain Names
 24 Using Email, PGP, X509 Certs, Attachments
 25 Using Instant Messaging and IRC
 26 Safe File Swapping
 27 Online Games and Virtual Worlds
5. Privacy and Protection of Intellectual Property
 28 Cookies
 29 Insider Threats
 30 Blogging and Social Networking
 31 Legal Awareness (Regulatory, Statutory, etc.)

Marcus H. Sachs
Director, SANS Internet Storm Center

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

********************************************************************
Title: Microsoft Security Bulletin Re-Release
Issued: September 27, 2007
********************************************************************

Summary
=======
The following bulletin has undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS07-042 - Critical

Bulletin Information:
=====================

* MS07-042 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms07-042.mspx
- Reason for Revision: Bulletin Updated: Added Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File
Formats and Microsoft Expression Web as affected products. The Bulletin has also been updated to inform customers that a
potential reliability issue exists in applications that have installed Microsoft XML Core Services 4.0 on Windows Vista,
which can be addressed by applying the download available in Microsoft Knowledge Base Article 941833.
- Originally posted: August 14, 2007
- Updated: September 27, 2007
- Bulletin Severity Rating: Critical
- Version: 2.0

 

Ask Toolbar ToolbarSettings ActiveX Control Buffer Overflow
Advisory Available in Danish Advisory Available in German

Secunia Advisory:
SA26960

Release Date:
2007-09-25

Critical:

Highly critical

Impact:
System access

Where:
From remote

Solution Status:
Unpatched

Software:
Ask Toolbar 4.x

Description:
Joey Mengele has discovered a vulnerability in Ask Toolbar, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the AskJeevesToolBar.SettingsPlugin.1 ActiveX control (askBar.dll) when handling the "ShortFormat" property. This can be exploited to cause a stack-based buffer overflow by assigning an overly long (greater than 500 bytes) string to the affected property.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 4.0.2. Other versions may also be affected.

Solution:
Set the kill-bit for the affected ActiveX control.

Provided and/or discovered by:
Joey Mengele

Original Advisory:
http://www.milw0rm.com/exploits/4452

Source: Ask Toolbar ToolbarSettings ActiveX Control Buffer Overflow - Advisories - Secunia

 

How much is your data worth?

Tuesday September 25, 2007 at 11:09 am CST
Posted by Allysa Myers

Trackback

Apparently P2P is the place to find information these days, especially highly confidential information. There have been two particularly interesting and high-profile cases of P2P clients being improperly configured such that important company data has been placed on P2P networks. I found one paragraph of the second article particularly interesting:

In July, the House Committee on Oversight and Government Reform heard testimony from several witnesses about how everything from classified military documents to corporate data can be found on P2P networks. The leaked documents on P2P networks cited as examples at the hearing included the Pentagon’s entire secret backbone network infrastructure diagram; contractor data on radio frequency manipulation to defeat improvised explosive devices in Iraq; and physical terrorism threat assessments for three major U.S cities.

This tells me there are still a large number of companies that are still explicitly or implicitly allowing file-sharing programs in their environments, or they’re allowing employees to take highly sensitive documents outside of their environment. This would seem to imply they consider their data to be of relatively low value, even if it could put lives or livelihoods at risk.

Contrast this with the average home user who doesn’t regularly deal with highly confidential data - what do you suppose they figure is the value of their personal data, compared with confidential government documents? What do you suppose the odds are of them taking higher precautions with their data than a government site?

What will be the watershed event that causes people to understand that their data has value? Will there be a “Melissa virus” of data loss?

Source: Computer Security Research - McAfee Avert Labs Blog

 

Microsoft's stealth updates stymie XP repairs

Windows Updates' silent upgrade blocks patches needed after restoring XP

 

Gregg Keizer

September 27, 2007 (Computerworld) The contentious stealth update that Microsoft delivered to customers this summer blocks 80 patches and fixes from installing after Windows XP is restored using its "repair" feature, researchers said today.

Scott Dunn, who first reported the problem in a story posted Thursday morning to the "Windows Secrets" newsletter, said that users who reinstall Windows XP with the repair option cannot retrieve the full set of updates from Windows Update (WU). The problem, he said, has been traced to the so-called "stealth update" to WU which Microsoft has acknowledged sending to users beginning in July.

Two weeks ago, Dunn broke the story of the background updates, which were sent to most non-corporate Windows XP and Vista users. The updates were delivered and installed without prior notification, even when the PC's owner had told the operating system not to download or install updates without notification and permission.

The revelation launched a firestorm of protest from users, which in turn prompted Microsoft to defend the practice as well as say it would think about ways to clarify its update policies.

"Two weeks ago we said that the silent update was harmless," said Dunn today. "But now we're saying it is a problem."

That problem affects any user who restores Windows XP using the setup CD's "repair" option, sometimes also called an "in-place reinstallation" because it reinstalls the operating system files without disturbing the applications and data already on the disk drive. Because repair is essentially a roll-back to XP's original state, the OS must be updated with all subsequent patches and hotfixes using WU. A system bought soon after Windows XP SP2 was released, for example, would need to download and install about three years' worth of updates.

After a repair, XP defaults to the "Automatic" setting for Automatic Updates, which means WU is immediately updated to version 7.0.600.381, the version pushed to PCs by the summer's undercover upgrade, said Dunn. Seven of the DLL (dynamic link library) files that make up 7.0.600.381, however, fail to register themselves with Windows. That, in turn, keeps XP from successfully installing approximately 80 of the most recent patches and fixes.

In a normal, non-repair situation, there's no indication of a glitch, since DLLs by the same name have previously been keyed into Windows' registry. "On a repaired copy of XP, however, no such registration has occurred, and failing to register the new DLLs costs Windows Update the ability to install any patches," he said

Dunn pointed out workarounds, which included installing an older version of WU over the top of 7.0.600.381. "Windows Secrets" has also posted instructions for creating a batch file that registers the seven DLLs.

While the registration failure and the unsuccessful patch installations aren't directly related to the fact that Microsoft didn't disclose the silent WU updates, Dunn sees it as part of a bigger, and disturbing, picture. "It's part of the whole problem with the silent update, and all part of the pattern of Microsoft's sloppiness," he said. "They're keeping us out of the loop. They're not working well with the IT community."

If anyone needed proof that stealth updates are a bad idea, Microsoft's defense of the practice notwithstanding, this is it, said Dunn. "IT needs to test updates for this very reason. It's why companies like to download and test updates before they install to the rest of the network," he said.

It's not clear how long WU has prevented post-repair updates, but searches through Microsoft's support newsgroups revealed questions about similar behavior as long ago as June. Responses by other users, including some with Most Valued Professional (MVP) designation -- a honorific Microsoft gives to users who make major contributions to the Windows community -- offered advice much like Dunn's. Several of them pointed users to the support document KB916259.

The earliest such postings, however, preceded the silent WU update to version 7.0.600.381. When questioned about the discrepancy, Dunn acknowledged the similarities, but in an e-mail said that the two issues were different. He cited several inconsistencies, including an error message called out in the support document that doesn't appear in his test machines.

In fact, Microsoft has updated WU twice since late May: the July-August silent update and a visible update rolled out in June. That update was designed to fix a long-standing problem with Automatic Updates in which the PCs' CPUs maxed out at 100%.

Microsoft was not available for comment early Thursday morning.

Source: Microsoft's stealth updates stymie XP repairs

 

POC Exploit Yahoo!s

September 25th, 2007 by Trend Micro

Instant messaging application Yahoo! Messenger is on the news again, as it becomes the target of a new proof-of-concept exploit. According to Trend Micro Escalations engineer Edgardo Diaz, said POC intends to prove that a certain component in the application known as FT60.DLL (version 1.0.0.4) can download a certain file from the internet. This function or feature (intended/unintended) can possibly be used by other malware as a vector to arrive on a user’s system.

Based on testing done in Windows XP SP2 with the latest version of Yahoo! Messenger (8.1.0.421) using the said DLL component, programs or Web sites using the CLSID related to the said DLL can download files from the Internet. Users can be lead to malicious/non-malicious sites that will first prompt for an ActiveX warning. When users allow the said ActiveX component to execute, FT60.DLL downloads files specified by the program or Web site.

This POC is the latest to target Yahoo! applications, Messenger in particular. Last June, Trend Micro researchers Jonell Baltazar and Jhoevine Capicio blogged about the two Yahoo! Messenger Webcam ActiveX vulnerabilities being exploited days after the vulnerabilities were made public. Other Yahoo! applications were also plagued by vulnerabilities and/or exploits. Last month, Paul Oliveria reported on the security advisory released by Yahoo! regarding Widgets. Jasper Pimentel also blogged about a POC that plagued Yahoo! Mail.

As of this writing, no word yet from folks at Yahoo!. Users are advised to be wary of accepting ActiveX prompts.

Source: POC Exploit Yahoo!s - TrendLabs | Malware Blog - by Trend Micro

 

New Prime Minister, New Trojan

Today, a new Prime Minister took over office in Japan. As usual, malware authors are taking full advantage of this big occasion, launching targeted attacks that play upon the event. Symantec Security Response has received an archive file today with the file name mofa.zip, which contains an executable called mofa.exe. This file is detected as Backdoor.Darkmoon.E.

According to a local news source (in Japanese), an email pretending to be from the newly elected Prime Minister, Yasuo Fukuda, is hitting some individuals' email boxes. The email contains content in regards to Japanese diplomacy in Asia, along with the address and phone number of the Prime minister's office – an attempt to make the email look more authentic. The name “MOFA” in mofa.zip is an acronym for the "Ministry of Foreign Affairs", is also an attempt to trick the receiver into opening the malicious attachment. This attack has prompted Mr. Fukuda's office to release a brief statement on this matter on its Web site (also in Japanese).

With the political event at its peak, email recipients of this targeted email may be caught off guard due to stress and exhaustion from being involved directly or indirectly with the event. Even though Symantec has detected the malware since September 20, never let your guard down. We strongly recommend that you keep your security software up-to-date and follow safe computing practices. If you receive any unexpected email, we suggest you treat it with caution just to be on the safe side.

Posted by Joji Hamada on September 25, 2007 11:00 AM

Source: Symantec Security Response Weblog: New Prime Minister, New Trojan

 

Storm Drain

Over the past few months, there has been talk about a wave of malware known commonly as “Storm”. “Storm” has been noted to be responsible for Distributed Denial of Service (DDoS) attacks, mass phishing emails, spam, botnets, and all sorts of online malicious activity.

While the name “Storm” was adopted by press, security companies had already adopted a myriad of names for the set of malware that encompasses this attack. Here at Microsoft, we refer to certain components as Win32/Nuwar and others as Win32/Tibs. Other names such as Zhelatin and shorter names associated with brief attacks have also been used, such as e-card or nfltracker. As I noted, there are many different components, each with its own specialized functionality, so over time, many names have been used.

In August, Microsoft’s Malware Protection Center (MMPC), the group of researchers responsible for each month’s additions to the Malicious Software Removal Tool (MSRT), decided to add this family to the September MSRT release based on its prevalence. The MSRT updates are released monthly in conjunction with Microsoft’s security software updates, and are free to the public in an effort to remove prevalent malware from the Windows eco-system and improve everyone’s ability to enjoy the Internet. With more than 350 million machines around the world that run this program, it requires great care and planning to release each new version.

After much work and testing, we made this month’s MSRT available for download September 11, and nowafter one week, we would like to share some of the statistics with you. But before I do, the researcher in me requires that I give you the caveats. First, MSRT is targeted against very specific known malware. It is well known that the “Storm” attacks are engineered by criminals who update their malware frequently. As a result, we are in an endless chase. But that doesn’t mean we shouldn’t try to make things better. Also, once we decide to take on a family in the MSRT, we continue the assault on that family moving forward, so we will keep at it. Because of all the testing that has to be done, we have to freeze our signature additions weeks in advance to make sure we have ample time to do the testing required to release a product as error free as possible (since even a small percentage of errors will impact thousands or millions of people).

Finally, to the numbers (numbers as of 2PM Tuesday, PDT).

The Renos family of malware has been removed from 668,362 distinct machines. The Zlob family has been removed from 664,258 machines. And the Nuwar family has been removed from 274,372 machines. In total, malware has been removed by this month’s MSRT from 2,574,586 machines.

So, despite some public concern in the press and among researchers about the “Storm” worm, it ranks third among the families of malware whose signatures have been added to the MSRT.

Another antimalware researcher who has been tracking these recent attacks has presented us with data that shows we knocked out approximately one-fifth of “Storm’s” Denial of Service (DoS) capability on September 11th. Unfortunately, that data does not show a continued decrease since the first day. We know that immediately following the release of MSRT, the criminals behind the deployment of the “Storm” botnet immediately released a newer version to update their software. To compare, one day from the release of MSRT, we cleaned approximately 91,000 machines that had been infected with any of the number of Nuwar components. Thus, the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the “Storm” botnet. Machines that will be cleaned by MSRT in the subsequent days will be of similar nature.

The effort by criminals who try to usurp machines on the Internet for their criminal enterprise continues. The September release of the MSRT probably cleaned up approximately one hundred thousand machines from the active “Storm” botnet. Such numbers might project that the strength of that botnet possibly stood at almost half a million machines with an additional few hundred thousand infected machines that the “Storm” botnet perhaps were not actively incorporating.

Unfortunately, “the virus you are most likely to be infected with is the one that you most recently cleaned” because people with a habit of doing something are likely to repeat whatever they did. Despite so many machines having been cleaned recently by MSRT, the “Storm” botnet will slowly regain its strength. This highlights the importance that MSRT is only effective if it is used in conjunction with a real-time antimalware program or package.

As I said before, once we set our sights on a particular malware family, we will continue in that fight. So, we await the next release of MSRT when hopefully, we will take another bite out of crime.

--  Jimmy Kuo

Published Thursday, September 20, 2007 5:35 PM by blogmalware

Source: Anti-Malware Engineering Team : Storm Drain

 

$109.30 in 2 minutes … IRS refunds attack

Monday September 24, 2007 at 9:16 am CST
Posted by Chris Barton

Trackback

Phishers today are targeting the IRS with a large phish attack. So far it is spread over 25 domains. The phish offers victims $109.30 refund directly to their credit card for filling in an online form. How convenient ;)

Here is an XYZ-obscured list of domains currently in use.

10361irsfundXYZ.com
13031irsfundXYZ.com
1412irsfundXYZ.com
16268irsfundXYZ.com
17389irsfundXYZ.com
21817irsfundXYZ.com
34042irsfundXYZ.com
37903irsfundXYZ.com
39621irsfundXYZ.com
4331irsfundXYZ.com
49383irsfundXYZ.com
55005irsfundXYZ.com
59631irsfundXYZ.com
61819irsfundXYZ.com
66725irsfundXYZ.com
66731irsfundXYZ.com
7148irsfundXYZ.com
7685irsfundXYZ.com
77452irsfundXYZ.com
79463irsfundXYZ.com
84131irsfundXYZ.com
87655irsfundXYZ.com
91767irsfundXYZ.com
93181irsfundXYZ.com
93189irsfundXYZ.com

Example below:

IRS Phish

As is usual these days for this sort of attack the phishers are using a whois privacy service, in this instance register.com’s $9 registration masking service… Again. We’ve seen a number of similar attacks recently. I wonder why they bother paying extra for such things when they are trivially forged.

…There I go again, assuming THEY actually pay.

Oh while we’re on the subject F-Secure have a cute blog on using google to catch paypal phish. Note the “Results: 1-10″ … Ten. Guys, there are 259 other active phish on that server alone. Googlejuice is for wimps ;)

Source: Computer Security Research - McAfee Avert Labs Blog

 

Pump-and-dump stock morphs again

Pump-and-dump stock, or penny stock, spam has been around for a long time. Most memorably it has the distinction of being the main deliverable of image spam. Regardless of the morphing or variations it is still pump-and-dump stock and while we're not stock advisors we would advise against it, unless you like parting from your money.

The most recent morphing we've observed over the past few days includes highly obfuscated messages with a few distinctive features. For starters, none of the message headers in the attack contain a subject line. This means that when it lands in your inbox there will be no subject line for the message. Spammers may be utilizing this tactic as a means to entice end users to open the message by banking on the curiosity of an end user to open the mysterious message. There is a subject line in the body of the message. The spammer is most likely doing this for obfuscation purposes.

Other features of this pump and dump attack are the inclusion of random, alphabetized email address in the body and then an additional set of headers (in the body) followed by the penny stock that is being pumped.

Text Body Sample:

Subject: hx-pn s m i l e s
Date: Tue, 25 Sep 2007 21:10:32 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0040_01C7F9F5.098DA510"
aname@domain.com
abname@domain.com
acname@domain.com

H...X...P...N----p...k....
Yestrday@0.15
Curent@0.17
/0.30@day5
/0.60@day10=20

The text portion of the message displays the penny stock and the current price. The html for this attack is showing a new twist by inserting the price of stock symbol in "mailto:" format in a place that would usually be reserved for urls.

Html body sample:

<BR>Q*C*P*C-pk<BR>Q~C~P~C <BR></FONT><A=20

href=3D"mailto:Current@0.002/0.01@day5/0.02@day10"><FONT=20

size=3D2>Current@0.002<BR>/0.01@day5</FONT>

Posted by Kelly Conley on September 24, 2007 05:00 AM

Source: Symantec Security Response Weblog: Pump-and-dump stock morphs again

 

Kaspersky AntiVirus klif.sys Hooked Functions Denial of Service
Advisory Available in Danish

Secunia Advisory:
SA26887

Release Date:
2007-09-24

Critical:

Not critical

Impact:
DoS

Where:
Local system

Solution Status:
Unpatched

Software:
Kaspersky Anti-Virus 6.x
Kaspersky Anti-Virus 7.x
Kaspersky Internet Security 6.x
Kaspersky Internet Security 7.x

Description:
EP_X0FF has reported some vulnerabilities in Kasperky AntiVirus, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
The vulnerabilities are caused due to errors within klif.sys when handling the parameters of certain hooked functions. These can be exploited to cause a DoS by e.g. calling "NtCreateSection()", "NtUserSendInput()", "LoadLibraryA()", or other unknown SSDT entries with specially crafted parameters.
The vulnerabilities are reported in version 7.0 build 125. Other versions may also be affected.
Solution:
The vendor is reportedly working on an update to be released November 2007.
Provided and/or discovered by:
EP_X0FF
Original Advisory:
Kaspersky:
http://www.kaspersky.com/technews?id=203038706
rootkit.com:
http://www.rootkit.com/newsread.php?newsid=778

Source: Kaspersky AntiVirus klif.sys Hooked Functions Denial of Service - Advisories - Secunia

 

Cards, Cards, Cards, Baked Beans, Cards, Cards...
Posted by Sean @ 10:20 GMT


There are a high number of reports for Trojan-Downloader.Win32.Banload.DRS today.
It's very similar to August 16th's run of Agent.BRK.
This time the bad guys have once again returned to the attachment name of card.exe.
Trojan-Downloader:W32/Banload.DRS Statistics

The subject lines are recycled as well:
Hot pictures
   Hot game
   Here is it
   You ask me about this game, Here is it
   Something hot

Our signature detection for this latest variant is included in database 2007-09-24_01.
Our DeepGuard System Control technology will have prompted users even before signatures were released.

Source: F-Secure : News from the Lab

More Posts Next page »