February 2008 - Posts

 

Arsenal Fan Site Compromised, Serves Malware

February 28th, 2008 by Jovi Umawing

Sports fan sites being compromised by malicious authors is not unheard of. We’ve seen it happen to a Jets fan site in early January this year, and we’re seeing it again in another fan site–this time of Arsenal, a popular English soccer team.

The compromised Web site in this case is Onlinegooner.com, which was reported by ScanSafe OI to be “maliciously active.” STAT confirmed that the fan site had been injected with malicious code, which led to the download of malware from the following IP addresses:

  • 61(dot)19(dot)246(dot)58
  • 202(dot)83(dot)212(dot)250
  • 89(dot)107(dot)104(dot)30

It was observed that the aforementioned addresses were hosted from several parts of the globe, like Thailand, Hong Kong, and Russia. The downloaded malware was found to contain rootkit, keylogging, backdoor, ARP poisoning, and DNS spoofing capabilites — all of which are, admittedly, pretty sophisticated features for a malware.

Onlinegooner.com has been bringing news to Arsenal fans for a decade now, and it was also news that was used to bring malware to fans. As the seeding of malware took place February 18, one motivation for the compromise could have been the then-upcoming Champions League match that the team had against AC Milan. Closely following this event was striker Eduardo da Silva’s injury, which must have also served the malicious users’ purposes in drawing more fans to the site.

Source: Arsenal Fan Site Compromised, Serves Malware | TrendLabs | Malware Blog - by Trend Micro

 

Spyware from World’s Largest Podcast Directory

February 28th, 2008 by Roderick Ordoñez

A site dubbing itself as the world’s largest podcast directory has been compromised! Even Google cautions about visiting the site, warning the user that it “may harm your computer.”

The site, hxxp://www.pod-planet.com, seemingly contains a redirector string, such that a visit to the site’s main page (hxxp://www.pod-planet.com/index.asp) will automatically lead users to http://www.{BLOCKED}e8.com/app/helptop.do, which in turn downloads a malicious file from http://www.{BLOCKED}e8.com/app/wm.exe. Trend Micro detects the downloaded file as TSPY_WOWAR.AG.

Once again playing culprit to this series of redirections is injected code, which has been obviously obfuscated to deter possible analysis. Obfuscation — normally done to protect direct copying of personal code — may actually prove detrimental to a malware (spyware) author in this case, as it may be proof enough that a chunk of illegible characters is present in a fully legitimate site.

Diligence is required of any Webmaster, and indeed much of it is needed in this robust era of Web threats. Such is truly applicable if one plans to call itself as the “largest podcast directory” on the Net, as malware writers are all too eager — and fully capable — to transform this “largest directory” to serve heapings of malicious intent.

Source: Spyware from World’s Largest Podcast Directory | TrendLabs | Malware Blog - by Trend Micro

 

Gmail Captcha gets a Serious Kick from Bot Tagteam

February 28th, 2008 by Arman Capili

Word has it that spammers have started circumventing the CAPTCHA system used by Google’s email service, Gmail. It can be recalled that a similar issue happened with the Windows Live mail service a few weeks back.

The two attacks are pretty similar in terms of using bots to signup new email accounts. However, the Gmail attack is considered more complicated since it uses two compromised hosts in its attempts to break into the Google Captcha system. The first host attempts to extract a copy of the Captcha image in bitmap format then attempts to break the code. In case it fails, a second host uses the same image, but breaks it down into segments then sends it as a portable image or graphic file. Segmentation is the only task where humans still outperform bots, but it is steadily gaining attention and focus among spammers and bot herders.

It is apparent in the mechanism above that Google Captchas are a lot harder to break than those from other email services—and it better be. Gmail provides a very wide window of opportunity for spammers in leveraging Google’s wide range of services for free. The popularity of Google makes it difficult to track spammers among the millions of users across the globe. This further makes Google’s domains highly unlikely to get blacklisted.

Although breaking the Google Captcha is of a very low percentage as of yet, we cannot deny that it works. We can expect more innovations in the future, and far more effective and creative ways of dealing with bots should definitely be in the to-do lists of email service providers as well.

Source: Gmail Captcha gets a Serious Kick from Bot Tagteam | TrendLabs | Malware Blog - by Trend Micro

 

Mac Case
Posted by Sean @ 16:53 GMT |


Patrik's Mac DNS Changer video recently generated some viewer mail.
RLV wrote us the following:

Thank you for your video about the DNS changer trojan horse being targeted to Mac computers.
I was wondering if you could offer assistance. My computer has been infected by this trojan horse…

Green Apple
This is what happened:
RLV thought that his Mac was infected with a DNSChanger trojan and so he started doing some research. His search results located our video but the demo and his personal experience didn't sync because he wasn't prompted for his password as was demonstrated.
He then contacted us and we requested his samples. Well, his sample files were indeed a variant of Trojan:OSX/DNSChanger.
So we followed-up again. With a few more details, we realized that he had installed Intego's VirusBarrier before the "infection" and not afterwards as we had original thought. So the trial version of VirusBarrier had done its job and had prevented the installation of the DNSChanger.
Any AV activity being an uncommon event on a Mac, RLV interpreted the "infected files" notification on his hard drive as a successful system infection.
With another round of messages, we expressed confidence that his Mac was fine and provided him with information on DNS settings along with suggestions on how to test his system in order to confirm that it was clean. If his DNS settings were okay, then his personal information was okay as well. In any case, DNSChangers are more interested in making money by altering search results.
Excerpts from RLV's last message:

Thank you again for your message and for your really great help.
I called Apple and spoke with a couple of their reps. […] The reps were incredulous about the existence of malware specifically targeting Macs. They looked up articles about it while we were on the phone — they wouldn't believe me until they looked it up for themselves.
Doesn't hurt to be informed, or to doublecheck, even though it is a rare occurrence for Macs. Everyone I talked to was denying any malware vulnerability for Mac platforms, which struck me as not the best attitude to take.
I'm grateful for the help offered by you and f-secure and hopefully I won't be needing it again!

We hope so too. In his messages, RLV came across as a gentlemen. There are several Mac users here in the lab and we were happy to assist him with something a bit outside of our normal routine.

Source: Mac Case - F-Secure Weblog : News from the Lab

 

Wireshark 0.99.8 released

Published: 2008-02-28,
Last Updated: 2008-02-28 04:34:58 UTC
by Jim Clausing (Version: 1)

Just a quick note to alert our readers that an new version of the popular network protocol analyzer/sniffer Wireshark (v0.99.8) has been released.  This release includes some security fixes in the SCTP, SNMP, and TFTP dissectors.  Malformed packets can crash the application.  We'll update the story with CVE entries when they become available.

References:

http://www.wireshark.org/security/wnpa-sec-2008-01.html

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

 

Abusing Image File Execution Options

Published: 2008-02-28,
Last Updated: 2008-02-28 00:21:54 UTC
by Bojan Zdrnja (Version: 1)

As a frequent reader of ISC, I have no doubt that you are aware of malware that was distributed on digital frames and other devices (if you haven't read those diaries, see http://isc.sans.org/diary.html?storyid=3817).

After we received some samples from our readers (thank you!) I decided to analyze one of them just for fun. According to VirusTotal, all AV programs (except for one) detected this sample, so at least all users running an up to date AV program are safe.

Most of the activities by the trojan were more or less standard until I saw that it creates a high number of new registry keys. I dig a bit further and found that it uses one relatively old technique that I haven't seen abused for quite some time: the trojan used the Image File Execution Options section of the registry.

Disassembly of the trojan showed that it cycles through a loop and creates a Debugger value for a lot of keys:

OllyDBG

The question now was: what is this doing? I had to dig through MSDN to find what exactly this section of the registry does (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options). Basically, the Debugger value allows a programmer to specify a debugger for any executable on the system. This will make Windows start that program (the debugger) instead of the executable you wanted to start in order to allow you to debug that program (it actually makes it pretty difficult to start the real executable and not the specified debugger).

One really cool usage for this feature is to replace the default Task Manager with Sysinternal's Process Explorer – one has to create this key for the taskmgr.exe application and point to Process Explorer and voila, it'll get started instead of Task Manager.

The trojan abused this feature – it had a list of almost dozens of well know anti-virus and other security tools executables. Then it created these registry keys for every single application so the trojan would get executed instead – pretty sneaky. You can see part of the registry of an infected machine below:

Registry

You can see the trojan trying to disable the NOD32 AV program on the screenshot above. Since Windows don't really check if it's a real debugger that is being started, I hope that all AV vendors are aware of this (old) technique and that they check for their own entries in this section of the registry. By the way, this feature can be used for some nasty pranks so don't abuse it please.

--
Bojan

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

 

ICQ Message Processing Format String Vulnerability

Secunia Advisory:
SA29138

Release Date:
2008-02-28

Critical:

Highly critical

Impact:
System access

Where:
From remote

Solution Status:
Unpatched

Software:
ICQ 6.x

Description:
B0B has discovered a vulnerability in ICQ, which can be exploited by malicious people to compromise another user's system.

The vulnerability is caused due to a format string error when generating HTML code to display messages in the embedded Internet Explorer component, which can be exploited by sending specially crafted messages containing format string specifiers to another user.

Successful exploitation allows the execution of arbitrary code.

The vulnerability is confirmed in ICQ 6 build 6043. Other versions may also be affected.

Solution:
Enable the "Accept messages only from contacts" option and remove untrusted users from your contact list.

If the "Ask me before displaying messages from people I don't know" option is enabled, discard incoming messages.

Provided and/or discovered by:
B0B

Original Advisory:
http://board.raidrush.ws/showthread.php?t=386983


Source: ICQ Message Processing Format String Vulnerability - Advisories - Secunia

 

VMWare Bug Provides Escape Hatch

February 28th, 2008 by Ma. Christina Cruz

VMWare is one of the more popular virtualization software these days. Its home page describes virtualization as a technology bound to change the IT landscape, as it allows one to “transform hardware into software.” By “virtualizing” hardware resources including the CPU, RAM, etc., multiple virtual machines can share resources without interfering with each other. It has thus proven to be a handy tool for intensive security research as well for the creation and use of test environments without harming the actual system.

However, Core Security Technologies has very recently reported of a bug that allows malicious users to escape the virtual environment to actually penetrate the host system running it. The bug exists in the shared folder feature of the Windows client-based virtualization software. VMWare has, for the meantime, advised users to disable shared folders. The company has also made clear that the vulnerability was not present in its server line, and that in newer versions the user must actually turn on the feature to become susceptible to this attack.

VMWare discloses this vulnerability on this page.

Core Security Technologies has a full disclosure on this page. The vulnerability ID for this finding is CVE-2008-0923 at the National Vulnerability Database.

Trend Micro researchers are bent on giving you the freshest information on the latest threats. We are posting our findings in real-time, so please stand by for updates as we uncover more details on this particular threat.

Source: VMWare Bug Provides Escape Hatch | TrendLabs | Malware Blog - by Trend Micro

 

Trend Micro OfficeScan CGI Module and Policy Server Buffer Overflows

Secunia Advisory:
SA29124

Release Date:
2008-02-28

Critical:

Moderately critical

Impact:
DoS
System access

Where:
From local network

Solution Status:
Unpatched

Software:
Trend Micro OfficeScan Corporate Edition 7.x

Description:
Luigi Auriemma has discovered some vulnerabilities in Trend Micro OfficeScan, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.

1) A boundary error in cgiChkMasterPwd.exe can be exploited to cause a stack-based buffer overflow via an HTTP request with a specially crafted, overly long "TMLogonEncrypted" parameter.

Successful exploitation allows execution of arbitrary code.

2) A boundary error in PolicyServer.exe can be exploited to cause a stack-based buffer overflow via an HTTP request to the cgiABLogon.exe CGI module with a specially crafted, overly long "pwd" parameter.

Successful exploitation allows execution of arbitrary code but requires that the Trend Micro Policy Server for Cisco NAC is installed.

Other errors, e.g. NULL-pointer dereference errors in certain CGI modules when handling HTTP requests containing certain characters or with invalid "Content-Length" headers, have also been reported.

The vulnerabilities are confirmed in version 7.3 with Patch 3 build 1314. Other versions may also be affected.

Solution:
Restrict network access to the services.

Provided and/or discovered by:
Luigi Auriemma

Original Advisory:
http://aluigi.altervista.org/adv/officescaz-adv.txt

Source: Trend Micro OfficeScan CGI Module and Policy Server Buffer Overflows - Advisories - Secunia

 

Trend Micro OfficeScan 8.0 Policy Server Denial of Service

Secunia Advisory:
SA29151

Release Date:
2008-02-28

Critical:

Less critical

Impact:
DoS

Where:
From local network

Solution Status:
Unpatched

Software:
Trend Micro OfficeScan Corporate Edition 8.x

Description:
Luigi Auriemma has discovered a vulnerability in Trend Micro OfficeScan, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in PolicyServer.exe and can be exploited to cause the service to terminate via a HTTP request to the cgiABLogon.exe CGI module with a specially crafted, overly long "pwd" parameter. The service then restarts after a few seconds.

Successful exploitation requires that the Trend Micro Policy Server for Cisco NAC is installed.

Other errors e.g. NULL-pointer dereference errors in certain CGI modules when handling HTTP requests containing certain characters or with invalid "Content-Length" headers have also been reported.

The vulnerability is confirmed in version 8.0 with Patch 2 build 1189. Other versions may also be affected.

Solution:
Restrict network access to the web service.

Provided and/or discovered by:
Luigi Auriemma

Original Advisory:
http://aluigi.altervista.org/adv/officescaz-adv.txt

Source: Trend Micro OfficeScan 8.0 Policy Server Denial of Service - Advisories - Secunia

 

Linux, FreeBSD and Mac (!) bot

Published: 2008-02-28,
Last Updated: 2008-02-28 09:31:30 UTC
by Bojan Zdrnja (Version: 1)

Yesterday I received samples of an IRC bot. This in itself would be nothing interesting except the fact that the archive contained binaries for FreeBSD and Mac (Darwin, ppc).

After initial analysis I found out that it's nothing special – just a port of a well known IRC bot called EnergyMech. The most interesting thing was that the attacker compiled it for FreeBSD and Mac. This probably didn't require any extra effort though since it compiles out of the box on FreeBSD and Linux anyway.

The bot did all the standard stuff: had couple of "owners" defined; comments in Portuguese and connected to Undernet, the IRC network that a lot of attackers like.

I decided, for the fun of it, to run the sample through VirusTotal, just to see what results AV programs will have. It was .. erm.. interesting, as you will see below.

There were in total 3 files:

$ md5sum linux freebsd darwin
fbab7e9bf1780fd2bc99e44d46535be5 linux
17eb3a901811ea86f7d71394cde36202 freebsd
a93b41466e330fc3cf8e6602e5cd03c2 darwin

The FreeBSD version of the bot was detected by 23 out of 32 AV programs (decent) and the Linux one by 24 out of 32 AV programs (even better). This was clearly signature detection since almost all AV programs detected the FreeBSD version as something for Linux (Linux/RST.B) – my guess is that they trigger on some text in the binary.

Finally, the Darwin version was a bit of a shock – 0 detections in total (!). Since it was a Mach-O executable for PPC, my guess is that AV programs didn't know how to parse the file format and just thought of it as data.

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

 This sounds interesting...

Virtualization equals real security

Wednesday, February 27th, 2008 at 9:09pm by Christopher Bolin

Hotels in Cannes don’t just sell out for the Film Festival; all rooms are also booked for a big IT show this week: VMware’s first VMworld Europe.

Today I showed an audience of about 4,500 people at VMworld Europe how VMware and McAfee together will be able to protect virtual environments in ways beyond what is available to protect physical environments today.

Our customers are using more and more virtualization. We’ve devoted a lot of time and energy to provide the best protection possible, for both physical and virtualized environments.

Virtualization represents a disruptive change in how the world uses its computing devices. It has also expanded the possibilities for more comprehensive security for the virtualization platforms and the guest operating systems they host.

With the popularity of virtualization and the rush to reap its benefits, security must not become an afterthought. That is why I am excited about today’s big news: VMware VMsafe. With VMsafe, VMware is building adaptable security interfaces as a fundamental part of its products, allowing partners such as McAfee to offer innovative security solutions.

McAfee is the first security company to publicly demonstrate VMsafe. At VMworld we showed how, with VMsafe, we can block a malicious driver being executed in a virtual machine. We also showed that we can scan and clean offline VMs so they are up-to-date when they’re spun up.

We deliver real and meaningful security for virtualized environments today. Our security risk management solutions are fully compatible with VMware virtualization and help organizations create a safe computing environment, spanning virtualized servers, networks and desktops.

In the future, VMsafe could be used in a range of our products, further enhancing the protection. Just as VMware has provided a fundamental change to how computing resources are used, it will allow security technologies to protect virtual environments in ways beyond those possible for a single monolithic OS. VMsafe is the key to that promise.

Aside from our support for VMsafe, we also announced an OEM (original equipment manufacturer) agreement with VMware to use VMware ESX Server in future products. In addition, we announced beta availability of our new Email and Web Security Virtual Appliance, built from the ground up for the VMware platform, and unveiled a new virtual infrastructure security assessment service

You can read more about how McAfee secures virtual environments in our news releases and on our virtualization Web site: http://www.mcafee.com/virtualization

Virtually yours,

Christopher

Source: Security Insights Blog » Virtualization equals real security

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: February 27, 2008
********************************************************************
Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.
  * MS08-013 - Critical
  * MS08-010 - Critical
  * MS07-012
Bulletin Information:
=====================
* MS08-013 - Critical
  - http://www.microsoft.com/technet/security/bulletin/ms08-013.mspx
  - Reason for Revision: V1.2 (February 27, 2008): Bulletin updated to reflect the reason why this update cannot be uninstalled for Office XP and Office 2003.
  - Originally posted: February 12, 2008
  - Updated: February 27, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.2
* MS08-010 - Critical
  - http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx
  - Reason for Revision: V1.2 (February 27, 2008): Corrected the registry key verification path for Internet Explorer 6 for all supported x64-based editions of Windows Server 2003.
  - Originally posted: February 12, 2008
  - Updated: February 27, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.2
* MS07-012
  - http://www.microsoft.com/technet/security/bulletin/ms07-012.mspx
  - Reason for Revision: V2.1 (February 27, 2008) Bulletin updated: Corrected the registry key verification path and the uninstall folder for Windows Server 2003.
  - Originally posted: February 13, 2007
  - Updated: February 27, 2008
  - Bulletin Severity Rating: Important
  - Version: 2.1

 

Security Fix

Brian Krebs on Computer Security

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

An Opera Update And A Farewell to Netscape

A new version of the Opera Web browser fixes at least three security vulnerabilities in the software. Separately, a security patch from AOL marks the final update for the venerable Netscape browser.

The latest update from AOL will be the last for Netscape: AOL officially ends support for it on March 1, meaning it has no further plans to ship security updates for Netscape or otherwise maintain the browser.

While Netscape's share of the browser market today is practically negligible compared to that of Internet Explorer, Firefox and Opera, this final version is a bit of an unceremonious goodbye for a browser that helped introduce so many people to the World Wide Web back in the mid-1990s. In 1998, Netscape released the source code for the Netscape Communicator browser. By doing so, it helped formed the basis of the Mozilla.org project -- an open source initiative that laid the groundwork for Firefox (For more background on the storied relationship between Netscape, AOL and Mozilla, see these links here).

AOL is urging Netscape users to consider switching over to Firefox, which is similar in look and feel, by including the Netscape 9 Migrator, to this final, patched version of Netscape. The migrator tool manifests itself as a red exclamation mark in the lower right hand corner of the latest Netscape browser window, which when clicked pops up a box displaying installer links for both Firefox and Flock, another browser based on Firefox that emphasizes blogs, news feeds and social networking sites.

For Netscape users who switch to Firefox but still pine for the Netscape-like interface, there also is a Firefox add-on that incorporates the Netscape theme.

Opera, of course, is another alternative. The latest Opera release brings the browser to version 9.26. Current Opera users should be alerted that a new version is available. The direct download for the latest version can be found at this link.

Source: An Opera Update And A Farewell to Netscape - Security Fix

 

Lack of digital certificates validation on various PEAP supplicants

Published: 2008-02-27,
Last Updated: 2008-02-27 19:50:23 UTC
by Raul Siles (Version: 1)

PEAP (Protected EAP) is one of the most commonly used EAP methods for strong wireless 802.11 authentication in WPA/WPA2 Enterprise mode (using 802.1x/EAP), as native support is available in the Windows, Mac OS X and Linux supplicants (like xsupplicant). When PEAP is used, the user is authenticated through username and password using MSCHAPv2, and the infrastructure (specifically the RADIUS server) is authenticated through digital certificates using TLS/SSL.

Recently, multiple vulnerabilities on the digital certificate validation process associated to PEAP have been released, due to the supplicant or the deployment failing to properly validate the RADIUS server certificate:

In the first case (best scenario), by using the default PEAP settings on Windows the certificate is validated, but the matching between the name (common name or CN) of the RADIUS server and the name on the certificate are not. As a consequence, an attacker can provide its own infrastructure (access-point plus malicious RADIUS server) and present a valid certificate (signed by a trusted CA), but belonging to  the attacker's RADIUS server. The client will accept it as valid, and the attacker will get access to inner EAP authentication credentials (MSCHAPv2 challenge and response) and can perform dictionary attacks on the credentials.

Do not think just on wireless deployments! If you are using strong layer-2 authentication through 802.1x in your wired network (something I've always promoted), you may be using the same vulnerable supplicant. Since 2005 I've been teaching the renamed SANS "Wireless Security Penetration Testing" course, and during the last day we build up a complete WPA Enterprise setup in class, using a CA, RADIUS, 802.1X & PEAP, where I do not provide any DNS infrastructure on purpose to show this flaw.

For the first scenario, the workaround is to properly configure the supplicant using strict authentication settings. Be very careful on configuring the supplicants appropriately and validate the digital certificate for the server, the CA, plus the common name. For example, on Windows this means to check (see slide 37 of 42 on the presentation above):

  • Validate server certificate
  • Connect to these servers, and provide the hostnames for the servers
  • Select the CA you used to issue the certificates for your network infrastructure
  • Do not allow users to authorize new servers or CA's

For the VoIP network devices there is no easy and overall solution right now, so it is recommended to select long and complex passwords to avoid the dictionary attack to succeed.

My guess is that we're going to start seeing more and more issues like this one in other supplicants from various wireless and wired network devices, and for other EAP types that also use digital certificates, such as EAP-TTLS, and PEAP v1 and v2. Most EAP types are complex authentication protocols.

--
Raul Siles
www.raulsiles.com

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

More Posts Next page »