Chris Mosby at myITforum.com

Arsenal Fan Site Compromised, Serves Malware

February 28th, 2008 by Jovi Umawing

Sports fan sites being compromised by malicious authors is not unheard of. We’ve seen it happen to a Jets fan site in early January this year, and we’re seeing it again in another fan site–this time of Arsenal, a popular English soccer team.

The compromised Web site in this case is Onlinegooner.com, which was reported by ScanSafe OI to be “maliciously active.” STAT confirmed that the fan site had been injected with malicious code, which led to the download of malware from the following IP addresses:

• 61(dot)19(dot)246(dot)58
• 202(dot)83(dot)212(dot)250
• 89(dot)107(dot)104(dot)30

It was observed that the aforementioned addresses were hosted from several parts of the globe, like Thailand, Hong Kong, and Russia. The downloaded malware was found to contain rootkit, keylogging, backdoor, ARP poisoning, and DNS spoofing capabilites — all of which are, admittedly, pretty sophisticated features for a malware.

Onlinegooner.com has been bringing news to Arsenal fans for a decade now, and it was also news that was used to bring malware to fans. As the seeding of malware took place February 18, one motivation for the compromise could have been the then-upcoming Champions League match that the team had against AC Milan. Closely following this event was striker Eduardo da Silva’s injury, which must have also served the malicious users’ purposes in drawing more fans to the site.

Source: Arsenal Fan Site Compromised, Serves Malware | TrendLabs | Malware Blog - by Trend Micro

Spyware from World’s Largest Podcast Directory

February 28th, 2008 by Roderick Ordoñez

A site dubbing itself as the world’s largest podcast directory has been compromised! Even Google cautions about visiting the site, warning the user that it “may harm your computer.”

The site, hxxp://www.pod-planet.com, seemingly contains a redirector string, such that a visit to the site’s main page (hxxp://www.pod-planet.com/index.asp) will automatically lead users to http://www.{BLOCKED}e8.com/app/helptop.do, which in turn downloads a malicious file from http://www.{BLOCKED}e8.com/app/wm.exe. Trend Micro detects the downloaded file as TSPY_WOWAR.AG.

Once again playing culprit to this series of redirections is injected code, which has been obviously obfuscated to deter possible analysis. Obfuscation — normally done to protect direct copying of personal code — may actually prove detrimental to a malware (spyware) author in this case, as it may be proof enough that a chunk of illegible characters is present in a fully legitimate site.

Diligence is required of any Webmaster, and indeed much of it is needed in this robust era of Web threats. Such is truly applicable if one plans to call itself as the “largest podcast directory” on the Net, as malware writers are all too eager — and fully capable — to transform this “largest directory” to serve heapings of malicious intent.

Source: Spyware from World’s Largest Podcast Directory | TrendLabs | Malware Blog - by Trend Micro

Gmail Captcha gets a Serious Kick from Bot Tagteam

February 28th, 2008 by Arman Capili

Word has it that spammers have started circumventing the CAPTCHA system used by Google’s email service, Gmail. It can be recalled that a similar issue happened with the Windows Live mail service a few weeks back.

The two attacks are pretty similar in terms of using bots to signup new email accounts. However, the Gmail attack is considered more complicated since it uses two compromised hosts in its attempts to break into the Google Captcha system. The first host attempts to extract a copy of the Captcha image in bitmap format then attempts to break the code. In case it fails, a second host uses the same image, but breaks it down into segments then sends it as a portable image or graphic file. Segmentation is the only task where humans still outperform bots, but it is steadily gaining attention and focus among spammers and bot herders.

It is apparent in the mechanism above that Google Captchas are a lot harder to break than those from other email services—and it better be. Gmail provides a very wide window of opportunity for spammers in leveraging Google’s wide range of services for free. The popularity of Google makes it difficult to track spammers among the millions of users across the globe. This further makes Google’s domains highly unlikely to get blacklisted.

Although breaking the Google Captcha is of a very low percentage as of yet, we cannot deny that it works. We can expect more innovations in the future, and far more effective and creative ways of dealing with bots should definitely be in the to-do lists of email service providers as well.

Source: Gmail Captcha gets a Serious Kick from Bot Tagteam | TrendLabs | Malware Blog - by Trend Micro

Mac Case
Posted by Sean @ 16:53 GMT |

---

Patrik's Mac DNS Changer video recently generated some viewer mail.
RLV wrote us the following:

Thank you for your video about the DNS changer trojan horse being targeted to Mac computers.
I was wondering if you could offer assistance. My computer has been infected by this trojan horse…


This is what happened:
RLV thought that his Mac was infected with a DNSChanger trojan and so he started doing some research. His search results located our video but the demo and his personal experience didn't sync because he wasn't prompted for his password as was demonstrated.
He then contacted us and we requested his samples. Well, his sample files were indeed a variant of Trojan:OSX/DNSChanger.
So we followed-up again. With a few more details, we realized that he had installed Intego's VirusBarrier before the "infection" and not afterwards as we had original thought. So the trial version of VirusBarrier had done its job and had prevented the installation of the DNSChanger.
Any AV activity being an uncommon event on a Mac, RLV interpreted the "infected files" notification on his hard drive as a successful system infection.
With another round of messages, we expressed confidence that his Mac was fine and provided him with information on DNS settings along with suggestions on how to test his system in order to confirm that it was clean. If his DNS settings were okay, then his personal information was okay as well. In any case, DNSChangers are more interested in making money by altering search results.
Excerpts from RLV's last message:

Thank you again for your message and for your really great help.
I called Apple and spoke with a couple of their reps. […] The reps were incredulous about the existence of malware specifically targeting Macs. They looked up articles about it while we were on the phone — they wouldn't believe me until they looked it up for themselves.
Doesn't hurt to be informed, or to doublecheck, even though it is a rare occurrence for Macs. Everyone I talked to was denying any malware vulnerability for Mac platforms, which struck me as not the best attitude to take.
I'm grateful for the help offered by you and f-secure and hopefully I won't be needing it again!

We hope so too. In his messages, RLV came across as a gentlemen. There are several Mac users here in the lab and we were happy to assist him with something a bit outside of our normal routine.

Source: Mac Case - F-Secure Weblog : News from the Lab

Wireshark 0.99.8 released

Published: 2008-02-28,
Last Updated: 2008-02-28 04:34:58 UTC
by Jim Clausing (Version: 1)

Just a quick note to alert our readers that an new version of the popular network protocol analyzer/sniffer Wireshark (v0.99.8) has been released.  This release includes some security fixes in the SCTP, SNMP, and TFTP dissectors.  Malformed packets can crash the application.  We'll update the story with CVE entries when they become available.

References:

http://www.wireshark.org/security/wnpa-sec-2008-01.html

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Abusing Image File Execution Options

Published: 2008-02-28,
Last Updated: 2008-02-28 00:21:54 UTC
by Bojan Zdrnja (Version: 1)

As a frequent reader of ISC, I have no doubt that you are aware of malware that was distributed on digital frames and other devices (if you haven't read those diaries, see http://isc.sans.org/diary.html?storyid=3817).

After we received some samples from our readers (thank you!) I decided to analyze one of them just for fun. According to VirusTotal, all AV programs (except for one) detected this sample, so at least all users running an up to date AV program are safe.

Most of the activities by the trojan were more or less standard until I saw that it creates a high number of new registry keys. I dig a bit further and found that it uses one relatively old technique that I haven't seen abused for quite some time: the trojan used the Image File Execution Options section of the registry.

Disassembly of the trojan showed that it cycles through a loop and creates a Debugger value for a lot of keys:

The question now was: what is this doing? I had to dig through MSDN to find what exactly this section of the registry does (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options). Basically, the Debugger value allows a programmer to specify a debugger for any executable on the system. This will make Windows start that program (the debugger) instead of the executable you wanted to start in order to allow you to debug that program (it actually makes it pretty difficult to start the real executable and not the specified debugger).

One really cool usage for this feature is to replace the default Task Manager with Sysinternal's Process Explorer – one has to create this key for the taskmgr.exe application and point to Process Explorer and voila, it'll get started instead of Task Manager.

The trojan abused this feature – it had a list of almost dozens of well know anti-virus and other security tools executables. Then it created these registry keys for every single application so the trojan would get executed instead – pretty sneaky. You can see part of the registry of an infected machine below:

You can see the trojan trying to disable the NOD32 AV program on the screenshot above. Since Windows don't really check if it's a real debugger that is being started, I hope that all AV vendors are aware of this (old) technique and that they check for their own entries in this section of the registry. By the way, this feature can be used for some nasty pranks so don't abuse it please.

--
Bojan

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

ICQ Message Processing Format String Vulnerability

Secunia Advisory:
SA29138

Release Date:
2008-02-28

Critical:

Highly critical

Impact:
System access

Where:
From remote

Solution Status:
Unpatched

Software:
ICQ 6.x

Description:
B0B has discovered a vulnerability in ICQ, which can be exploited by malicious people to compromise another user's system.

The vulnerability is caused due to a format string error when generating HTML code to display messages in the embedded Internet Explorer component, which can be exploited by sending specially crafted messages containing format string specifiers to another user.

Successful exploitation allows the execution of arbitrary code.

The vulnerability is confirmed in ICQ 6 build 6043. Other versions may also be affected.

Solution:
Enable the "Accept messages only from contacts" option and remove untrusted users from your contact list.

If the "Ask me before displaying messages from people I don't know" option is enabled, discard incoming messages.

Provided and/or discovered by:
B0B

Original Advisory:
http://board.raidrush.ws/showthread.php?t=386983

Source: ICQ Message Processing Format String Vulnerability - Advisories - Secunia

VMWare Bug Provides Escape Hatch

February 28th, 2008 by Ma. Christina Cruz

VMWare is one of the more popular virtualization software these days. Its home page describes virtualization as a technology bound to change the IT landscape, as it allows one to “transform hardware into software.” By “virtualizing” hardware resources including the CPU, RAM, etc., multiple virtual machines can share resources without interfering with each other. It has thus proven to be a handy tool for intensive security research as well for the creation and use of test environments without harming the actual system.

However, Core Security Technologies has very recently reported of a bug that allows malicious users to escape the virtual environment to actually penetrate the host system running it. The bug exists in the shared folder feature of the Windows client-based virtualization software. VMWare has, for the meantime, advised users to disable shared folders. The company has also made clear that the vulnerability was not present in its server line, and that in newer versions the user must actually turn on the feature to become susceptible to this attack.

VMWare discloses this vulnerability on this page.

Core Security Technologies has a full disclosure on this page. The vulnerability ID for this finding is CVE-2008-0923 at the National Vulnerability Database.

Trend Micro researchers are bent on giving you the freshest information on the latest threats. We are posting our findings in real-time, so please stand by for updates as we uncover more details on this particular threat.

Source: VMWare Bug Provides Escape Hatch | TrendLabs | Malware Blog - by Trend Micro

Trend Micro OfficeScan CGI Module and Policy Server Buffer Overflows

Secunia Advisory:
SA29124

Release Date:
2008-02-28

Critical:

Moderately critical

Impact:
DoS
System access

Where:
From local network

Solution Status:
Unpatched

Software:
Trend Micro OfficeScan Corporate Edition 7.x

Description:
Luigi Auriemma has discovered some vulnerabilities in Trend Micro OfficeScan, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.

1) A boundary error in cgiChkMasterPwd.exe can be exploited to cause a stack-based buffer overflow via an HTTP request with a specially crafted, overly long "TMLogonEncrypted" parameter.

Successful exploitation allows execution of arbitrary code.

2) A boundary error in PolicyServer.exe can be exploited to cause a stack-based buffer overflow via an HTTP request to the cgiABLogon.exe CGI module with a specially crafted, overly long "pwd" parameter.

Successful exploitation allows execution of arbitrary code but requires that the Trend Micro Policy Server for Cisco NAC is installed.

Other errors, e.g. NULL-pointer dereference errors in certain CGI modules when handling HTTP requests containing certain characters or with invalid "Content-Length" headers, have also been reported.

The vulnerabilities are confirmed in version 7.3 with Patch 3 build 1314. Other versions may also be affected.

Solution:
Restrict network access to the services.

Provided and/or discovered by:
Luigi Auriemma

Original Advisory:
http://aluigi.altervista.org/adv/officescaz-adv.txt

Source: Trend Micro OfficeScan CGI Module and Policy Server Buffer Overflows - Advisories - Secunia

Trend Micro OfficeScan 8.0 Policy Server Denial of Service

Secunia Advisory:
SA29151

Release Date:
2008-02-28

Critical:

Less critical

Impact:
DoS

Where:
From local network

Solution Status:
Unpatched

Software:
Trend Micro OfficeScan Corporate Edition 8.x

Description:
Luigi Auriemma has discovered a vulnerability in Trend Micro OfficeScan, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in PolicyServer.exe and can be exploited to cause the service to terminate via a HTTP request to the cgiABLogon.exe CGI module with a specially crafted, overly long "pwd" parameter. The service then restarts after a few seconds.

Successful exploitation requires that the Trend Micro Policy Server for Cisco NAC is installed.

Other errors e.g. NULL-pointer dereference errors in certain CGI modules when handling HTTP requests containing certain characters or with invalid "Content-Length" headers have also been reported.

The vulnerability is confirmed in version 8.0 with Patch 2 build 1189. Other versions may also be affected.

Solution:
Restrict network access to the web service.

Provided and/or discovered by:
Luigi Auriemma

Original Advisory:
http://aluigi.altervista.org/adv/officescaz-adv.txt

Source: Trend Micro OfficeScan 8.0 Policy Server Denial of Service - Advisories - Secunia

Linux, FreeBSD and Mac (!) bot

Published: 2008-02-28,
Last Updated: 2008-02-28 09:31:30 UTC
by Bojan Zdrnja (Version: 1)

Yesterday I received samples of an IRC bot. This in itself would be nothing interesting except the fact that the archive contained binaries for FreeBSD and Mac (Darwin, ppc).

After initial analysis I found out that it's nothing special – just a port of a well known IRC bot called EnergyMech. The most interesting thing was that the attacker compiled it for FreeBSD and Mac. This probably didn't require any extra effort though since it compiles out of the box on FreeBSD and Linux anyway.

The bot did all the standard stuff: had couple of "owners" defined; comments in Portuguese and connected to Undernet, the IRC network that a lot of attackers like.

I decided, for the fun of it, to run the sample through VirusTotal, just to see what results AV programs will have. It was .. erm.. interesting, as you will see below.

There were in total 3 files:

$ md5sum linux freebsd darwin
fbab7e9bf1780fd2bc99e44d46535be5 linux
17eb3a901811ea86f7d71394cde36202 freebsd
a93b41466e330fc3cf8e6602e5cd03c2 darwin

The FreeBSD version of the bot was detected by 23 out of 32 AV programs (decent) and the Linux one by 24 out of 32 AV programs (even better). This was clearly signature detection since almost all AV programs detected the FreeBSD version as something for Linux (Linux/RST.B) – my guess is that they trigger on some text in the binary.

Finally, the Darwin version was a bit of a shock – 0 detections in total (!). Since it was a Mach-O executable for PPC, my guess is that AV programs didn't know how to parse the file format and just thought of it as data.

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

 This sounds interesting...

Virtualization equals real security

Wednesday, February 27th, 2008 at 9:09pm by Christopher Bolin

Hotels in Cannes don’t just sell out for the Film Festival; all rooms are also booked for a big IT show this week: VMware’s first VMworld Europe.

Today I showed an audience of about 4,500 people at VMworld Europe how VMware and McAfee together will be able to protect virtual environments in ways beyond what is available to protect physical environments today.

Our customers are using more and more virtualization. We’ve devoted a lot of time and energy to provide the best protection possible, for both physical and virtualized environments.

Virtualization represents a disruptive change in how the world uses its computing devices. It has also expanded the possibilities for more comprehensive security for the virtualization platforms and the guest operating systems they host.

With the popularity of virtualization and the rush to reap its benefits, security must not become an afterthought. That is why I am excited about today’s big news: VMware VMsafe. With VMsafe, VMware is building adaptable security interfaces as a fundamental part of its products, allowing partners such as McAfee to offer innovative security solutions.

McAfee is the first security company to publicly demonstrate VMsafe. At VMworld we showed how, with VMsafe, we can block a malicious driver being executed in a virtual machine. We also showed that we can scan and clean offline VMs so they are up-to-date when they’re spun up.

We deliver real and meaningful security for virtualized environments today. Our security risk management solutions are fully compatible with VMware virtualization and help organizations create a safe computing environment, spanning virtualized servers, networks and desktops.

In the future, VMsafe could be used in a range of our products, further enhancing the protection. Just as VMware has provided a fundamental change to how computing resources are used, it will allow security technologies to protect virtual environments in ways beyond those possible for a single monolithic OS. VMsafe is the key to that promise.

Aside from our support for VMsafe, we also announced an OEM (original equipment manufacturer) agreement with VMware to use VMware ESX Server in future products. In addition, we announced beta availability of our new Email and Web Security Virtual Appliance, built from the ground up for the VMware platform, and unveiled a new virtual infrastructure security assessment service. 

You can read more about how McAfee secures virtual environments in our news releases and on our virtualization Web site: http://www.mcafee.com/virtualization

Virtually yours,

Christopher

Source: Security Insights Blog » Virtualization equals real security

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: February 27, 2008
********************************************************************
Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.
  * MS08-013 - Critical
  * MS08-010 - Critical
  * MS07-012
Bulletin Information:
=====================
* MS08-013 - Critical
  - http://www.microsoft.com/technet/security/bulletin/ms08-013.mspx
  - Reason for Revision: V1.2 (February 27, 2008): Bulletin updated to reflect the reason why this update cannot be uninstalled for Office XP and Office 2003.
  - Originally posted: February 12, 2008
  - Updated: February 27, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.2
* MS08-010 - Critical
  - http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx
  - Reason for Revision: V1.2 (February 27, 2008): Corrected the registry key verification path for Internet Explorer 6 for all supported x64-based editions of Windows Server 2003.
  - Originally posted: February 12, 2008
  - Updated: February 27, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.2
* MS07-012
  - http://www.microsoft.com/technet/security/bulletin/ms07-012.mspx
  - Reason for Revision: V2.1 (February 27, 2008) Bulletin updated: Corrected the registry key verification path and the uninstall folder for Windows Server 2003.
  - Originally posted: February 13, 2007
  - Updated: February 27, 2008
  - Bulletin Severity Rating: Important
  - Version: 2.1

Brian Krebs on Computer Security

About This Blog   |   Archives   |   RSS Feed   (What's RSS?)

An Opera Update And A Farewell to Netscape

A new version of the Opera Web browser fixes at least three security vulnerabilities in the software. Separately, a security patch from AOL marks the final update for the venerable Netscape browser.

The latest update from AOL will be the last for Netscape: AOL officially ends support for it on March 1, meaning it has no further plans to ship security updates for Netscape or otherwise maintain the browser.

While Netscape's share of the browser market today is practically negligible compared to that of Internet Explorer, Firefox and Opera, this final version is a bit of an unceremonious goodbye for a browser that helped introduce so many people to the World Wide Web back in the mid-1990s. In 1998, Netscape released the source code for the Netscape Communicator browser. By doing so, it helped formed the basis of the Mozilla.org project -- an open source initiative that laid the groundwork for Firefox (For more background on the storied relationship between Netscape, AOL and Mozilla, see these links here).

AOL is urging Netscape users to consider switching over to Firefox, which is similar in look and feel, by including the Netscape 9 Migrator, to this final, patched version of Netscape. The migrator tool manifests itself as a red exclamation mark in the lower right hand corner of the latest Netscape browser window, which when clicked pops up a box displaying installer links for both Firefox and Flock, another browser based on Firefox that emphasizes blogs, news feeds and social networking sites.

For Netscape users who switch to Firefox but still pine for the Netscape-like interface, there also is a Firefox add-on that incorporates the Netscape theme.

Opera, of course, is another alternative. The latest Opera release brings the browser to version 9.26. Current Opera users should be alerted that a new version is available. The direct download for the latest version can be found at this link.

Source: An Opera Update And A Farewell to Netscape - Security Fix

Lack of digital certificates validation on various PEAP supplicants

Published: 2008-02-27,
Last Updated: 2008-02-27 19:50:23 UTC
by Raul Siles (Version: 1)

PEAP (Protected EAP) is one of the most commonly used EAP methods for strong wireless 802.11 authentication in WPA/WPA2 Enterprise mode (using 802.1x/EAP), as native support is available in the Windows, Mac OS X and Linux supplicants (like xsupplicant). When PEAP is used, the user is authenticated through username and password using MSCHAPv2, and the infrastructure (specifically the RADIUS server) is authenticated through digital certificates using TLS/SSL.

Recently, multiple vulnerabilities on the digital certificate validation process associated to PEAP have been released, due to the supplicant or the deployment failing to properly validate the RADIUS server certificate:

• During the Shmoocon 2008 conference, Wright and Antoniewicz released the details about how the Windows XP, Mac OS X and other commercial supplicants are affected by the lack of certificates verification. All the details are available on their presentation.
•  Vocera's VoIP handsets do not perform certificate validation because it's too much "processing overhead required", as is clearly stated in the documentation.
• Cisco's 7921 Wi-Fi VoIP model does not validate certificates. EAP-TLS is Cisco's suggested short term workaround, what implies a full PKI.

In the first case (best scenario), by using the default PEAP settings on Windows the certificate is validated, but the matching between the name (common name or CN) of the RADIUS server and the name on the certificate are not. As a consequence, an attacker can provide its own infrastructure (access-point plus malicious RADIUS server) and present a valid certificate (signed by a trusted CA), but belonging to  the attacker's RADIUS server. The client will accept it as valid, and the attacker will get access to inner EAP authentication credentials (MSCHAPv2 challenge and response) and can perform dictionary attacks on the credentials.

Do not think just on wireless deployments! If you are using strong layer-2 authentication through 802.1x in your wired network (something I've always promoted), you may be using the same vulnerable supplicant. Since 2005 I've been teaching the renamed SANS "Wireless Security Penetration Testing" course, and during the last day we build up a complete WPA Enterprise setup in class, using a CA, RADIUS, 802.1X & PEAP, where I do not provide any DNS infrastructure on purpose to show this flaw.

For the first scenario, the workaround is to properly configure the supplicant using strict authentication settings. Be very careful on configuring the supplicants appropriately and validate the digital certificate for the server, the CA, plus the common name. For example, on Windows this means to check (see slide 37 of 42 on the presentation above):

• Validate server certificate
• Connect to these servers, and provide the hostnames for the servers
• Select the CA you used to issue the certificates for your network infrastructure
• Do not allow users to authorize new servers or CA's

For the VoIP network devices there is no easy and overall solution right now, so it is recommended to select long and complex passwords to avoid the dictionary attack to succeed.

My guess is that we're going to start seeing more and more issues like this one in other supplicants from various wireless and wired network devices, and for other EAP types that also use digital certificates, such as EAP-TTLS, and PEAP v1 and v2. Most EAP types are complex authentication protocols.

--
Raul Siles
www.raulsiles.com

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Botnet Gang in Quebec Set to Appear in Court Today

February 27th, 2008 by Ma. Christina Cruz

We have recently blogged about big botnet contender Mega-Dik, to remind people of the pervasiveness of botnets today (and that Storm is not the only force to reckon with in terms of illicitly-acquired distributed computing power).

It is thus with great cheer that we pick up this report from Calgary Herald’s Ravensbergen. After observing the activities of the suspected hacking ring in an investigation stretching as far back as 2006, the Quebec police, headed by Capt. Frederick Gaudreau, was able to apprehend 17 people (ages at 17 to 26) in raids conducted almost a week ago in 12 towns across the province.

By using remote-access software, these people (one of which is a 19-year-old woman) were able to extend control to around a million computers in more than a hundred countries. Zombified computers were made to conduct various spamming and phishing activities on behalf of the bot masters. Victims of this gang were from Poland, Brazil, Mexico, Manitoba and the US, amongst others, and the estimated total damages to governments (which the police choose not to name as of this writing), businesses and homes, was pegged by Gaudreau at $45M.

The suspects to these computer-related crimes enabled by the botnet are set to appear in court today to answer charges for illegally obtaining computer services (10 years max in jail), but more may follow after forensic analysis of hardware confiscated during the raids. The entire operation consumed a lot of manpower as hundreds of Quebec police and Royal Canadian Mounted Police officers were said to have worked together to take this group down. But in any case, this victory only goes to show the seriousness with which authorities across the world are taking crimes committed online.

Other news sites report this bust here and here.

Source: Botnet Gang in Quebec Set to Appear in Court Today | TrendLabs | Malware Blog - by Trend Micro

“Live or Die” - Part 2

February 27th, 2008 by JM Hipolito

A sequel to the old “pay up or we’ll kill you” scheme has recently surfaced, getting publicity from various Web sites.

This scam that seems to have begun back in April 2007 started out in various forms but with the same MO. It comes as an email message from a person who claims that he has been paid by someone to kill the recipient. The supposed “killer” then asks the recipient a certain amount of money in exchange of their life. Messages were reported to contain the following:

Subject: BE MORE CAREFUL
From: “BE MORE CAREFUL”
Reply-To: william1111@live.com
To: undisclosed-recipients:;

I am very sorry for you, is a pity that this is how your life is going to end as soon as you don’t comply. As you can see there is no need of introducing myself to you because I don’t have any business with you, my duty as I am mailing you now is just to KILL you and I have to do it as I have already been paid for that.

Someone you call a friend wants you Dead by all means, and the person have spent a lot of money on this, the person also came to us and told me that he want you dead and he provided us with your name ,picture and other necessary information’s we needed about you. So I sent my boys to track you down and they have carried out the necessary investigation needed for the operation on you, and they have done that but I told them not to kill you that I will like to contact you and see if your life is Important to you or not since their findings shows that you are innocent.

I called my client back and ask him of you email address which I didn’t tell him what I wanted to do with it and he gave it to me and I am using it to contact you now. As I am writing to you now my men are monitoring you and they are telling me everything about you.

Now do you want to LIVE OR DIE? As someone has paid us to kill you. Get back to me now if you are ready to pay some fees to spare your life, $30,000 is all you need to spend You will first of all pay $15,000 then I will send the tape to you and when the tape get to you, you will pay the remaining $15,000. If you are not ready for my help, then I will carry on with my job straight-up.

WARNING: DO NOT THINK OF CONTACTING THE POLICE OR EVEN TELL ANYONE BECAUSE I WILL KNOW.REMEMBER, SOMEONE WHO KNOWS YOU VERY WELL WANT YOU DEAD! I WILL EXTEND IT TO YOUR FAMILY, INCASE I NOTICE SOMETHING FUNNY.

DO NOT COME OUT ONCE IT IS 7:PM UNTIL I MAKE OUT TIME TO SEE YOU AND GIVE YOU THE TAPE OF MY DISCUSSION WITH THE PERSON WHO WANT YOU DEAD THEN YOU CAN USE IT TO TAKE ANY LEGAL ACTION. GOOD LUCK AS I AWAIT YOUR REPLY TO THIS E-MAIL CONTACT

Other variants of the message mentioned above contains the same message, only with different amounts of money being asked for by the sender. Here’s a sample email of the scam:

This scheme is fairly old, but still does not eliminate the possibility of someone falling for it. Trend Micro advises recipients of an email message similar to the shown above to ignore the said message.

Source: “Live or Die” - Part 2 | TrendLabs | Malware Blog - by Trend Micro

RTKT_PUSHU.AC - Rootkit Remover?

February 27th, 2008 by Edgardo Diaz

A malware removes rootkits? There has to be a catch here.

Our recent analysis of RTKT_PUSHU.AC reveals that this component of WORM_NUWAR, TROJ_PUSHDO/TROJ_PANDEX malware families removes previously installed rootkits by other malware but then infects the system with its own rootkit components.

The rootkit, which is basically a device driver, is dropped by a malware to remove the following hooks on the affected system:

• System Service Dispatch Table (SSDT) Hook
• IRP and Device Hooks for the following sys files:
  • Ntfs.sys
  • Ndis.sys
  • Tcpip.sys
  • Ipfltrdrv.sys

Removing the mentioned hooks removes Create Process Notify and Create Thread Notify routines on the affected system, hiding the malicious processes and threads executed by the malware.

This is also used as a component for updating the rootkit itself and to infect the system again with its malicious routines.

Below is an example scenario of how RTKT_PUSHU.AC executes its routines:

The first screenshot shows two rootkits that have been installed on the system. WINCOM32.SYS, detected by Trend Micro as TROJ_DORF.AA hooks SSDT for file and registry hiding. RUNTIME.SYS on the other hand is detected by Trend Micro as TROJ_ROOTKIT.DU and hooks IRP of TCPIP.SYS for port hiding. Also shown is RTKT_PUSHU.AC, also installed on the system as IP6FW.SYS.

Upon execution, TROJ_DORF.AA and TROJ_ROOTKIT.DU goes into action:

TROJ_DORF.AA hooks the SSDT as shown below. This fakes outputs of function calls made to the services provided by NTOSKRNL. Doing this enables the rootkit to hide certain processes and files on the affected system.

As a result, the file WINCOM32.SYS, detected by Trend Micro as TROJ_DORF.AA is now unseen, as shown in the screenshot below:

On the other hand, TROJ_ROOTKIT.DU hooks IRPs related to TCPIP.SYS, as shown in the following screenshot:

As a result, TCP ports on the affected system are now hidden:

Now, upon the execution of RTKT_PUSHU.AC, the hooks on SSDT are no longer there:

So the file WINCOM32.SYS detected as TROJ_DORF.AA is now visible again:

The IRP hooks related to TCPIP.SYS are gone as well:

This results to the revelation of the previously hidden ports:

The catch: RTKT_PUSHU.AC actually disables other rootkits previously installed on the system, but only to infect the system with its own rootkit components or update components previously installed on the system.

Source: RTKT_PUSHU.AC - Rootkit Remover? | TrendLabs | Malware Blog - by Trend Micro

Apple Mac OS X "ipcomp6_input()" Denial of Service

Secunia Advisory:
SA29130

Release Date:
2008-02-27

Critical:

Moderately critical

Impact:
DoS

Where:
From remote

Solution Status:
Unpatched

OS:
Apple Macintosh OS X

CVE reference:CVE-2008-0177 (Secunia mirror)

Description:
A vulnerability has been reported in Apple Mac OS X, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the "ipcomp6_input()" function in bsd/netinet6/ipcomp_input.c when processing IPv6 packets with an IPComp header. This can be exploited to crash a vulnerable system by sending a specially crafted IPv6 packet.

This is related to:
SA28788

The vulnerability is reported in Mac OS X 10.5.1 and 10.5.2. Other versions may also be affected.

Solution:
Use a firewall to block IPv6 packets containing an IPComp header.

Provided and/or discovered by:
Discovered in the KAME Project by Shoichi Sakane. Reported in Mac OS X by mu-b.

Original Advisory:
http://www.digit-labs.org/files/exploits/xnu-ipv6-ipcomp.c

Other References:
SA28788:
http://secunia.com/advisories/28788/

Source: Apple Mac OS X "ipcomp6_input()" Denial of Service - Advisories - Secunia

Symantec Products Symantec Decomposer RAR File Handling Vulnerabilities

Secunia Advisory:
SA29140

Release Date:
2008-02-27

Critical:

Highly critical

Impact:
DoS
System access

Where:
From remote

Solution Status:
Vendor Patch

Software:
Symantec AntiVirus for Network Attached Storage 4.x
Symantec AntiVirus Scan Engine 4.x
Symantec AntiVirus/Filtering for Domino 3.x
Symantec Mail Security for Exchange 4.x
Symantec Mail Security for Microsoft Exchange 5.x
Symantec Scan Engine 5.x

CVE reference:
CVE-2008-0308 (Secunia mirror)
CVE-2008-0309 (Secunia mirror)

 

Description:
Two vulnerabilities have been reported in various Symantec products, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.

1) A boundary error in Symantec's Decomposer engine can be exploited to cause a stack-based buffer overflow when handling a specially crafted .RAR file.

Successful exploitation allows execution of arbitrary code.

2) An error in Symantec's Decomposer engine can be exploited to cause the process to consume large amounts of memory when handling a specially crafted .RAR file.

The vulnerabilities affect all builds of the following products:
* Symantec AntiVirus for Network Attached Storage version 4.3.16.39 and prior
* Symantec AntiVirus Scan Engine version 4.3.16.39 and prior
* Symantec AntiVirus Scan Engine for Caching version 4.3.16.39 and prior
* Symantec AntiVirus Scan Engine for Clearswift version 4.3.16.39 and prior
* Symantec AntiVirus Scan Engine for Messaging version 4.3.16.39 and prior
* Symantec AntiVirus Scan Engine for MS ISA version 4.3.16.39 and prior
* Symantec AntiVirus Scan Engine for MS SharePoint version 4.3.16.39 and prior
* Symantec AntiVirus/Filtering for Domino MPE(AIX, Linux, Solaris) all versions
* Symantec Mail Security for Microsoft Exchange version 4.6.5.12 and prior
* Symantec Mail Security for Microsoft Exchange version 5.0.4.363 and prior
* Symantec Scan Engine version 5.1.4.24 and prior

Do you have this product installed on your home computer? Scan using the free Personal Software Inspector. Check if a vulnerable version is installed on computers in your corporate network, scan using the Network Software Inspector.

Solution:
Update to the latest versions. Please see the vendor's advisory for details.

Provided and/or discovered by:
1) Discovered by an anonymous researcher and reported via iDefense Labs.
2) Discovered by an anonymous researcher and reported via iDefense Labs.

Original Advisory:
SYM08-006:
http://www.symantec.com/avcenter/security/Content/2008.02.27.html

iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=666
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=667

Source: Symantec Products Symantec Decomposer RAR File Handling Vulnerabilities - Advisories - Secunia

Taking the next step with Windows Vista SP1

Back in December, I mentioned some changes were coming with WGA in Windows Vista.  I want to say first that I'm excited about the step forward we're taking with SP1 and proud of the work that has gone into it. I'm excited both about the changes we've made to the user experience that we talked about and also about what we've done in Windows Vista SP1 to combat two of the most common methods we've seen for trying to hack product activation in Windows Vista.

First let me recap the changes to the customer experience that are included in SP1. "Reduced Functionality Mode" (RFM) has been removed from the product and replaced with a notifications-based experience. The purpose of the notifications-based experience is to differentiate between a genuine and activated copy of Windows Vista and one that is not, and do so in a way that maintains system functionality such as logon, access to the familiar desktop etc. This new experience means that systems that are not activated during their grace periods (initial activations as well as those due to hardware changes) or that fail our validation may have this experience.

The experience coming in SP1 is common across the activation and validation scenarios and here's what it's going to look like.

After the activation grace period has been exceeded the next logon will present the user with a message that directs the customer to activate that copy of Windows. That dialog includes a fifteen second delay before it can be dismissed. If a customer chooses to activate that copy of Windows they will be shown a number of ways to accomplish that. If they want to skip activation at that time they can wait for the fifteen seconds and choose "Activate Later" and they will be logged in to their desktop.

When the desktop is loaded, the background wallpaper color will be set to black. This setting will be confirmed and reset every hour meaning that a user can change the wallpaper to a favorite image but each hour after being logged in, the system will reset the desktop background to black. When that happens, a system tray balloon notification will advise the customer to activate their copy of Windows.

Again, if the user clicks the Activate message they will be presented with a number of ways to activate their copy of Windows.

Ok, you say, that's great but you've said this all before? How often is this likely to happen to the average customer? Well, in SP1 we will disable two of the most common exploits to our product activation technology. This means that users who have the exploits loaded on their systems will find those exploits disabled by SP1, and they will be asked to activate their copy of Windows Vista.

Here's how that's going to work.

Users of Windows Vista Service Pack 1 who previously had bypassed activation with the OEM BIOS or Grace Timer exploits should expect to find those exploits disabled by Windows. Once these exploits are disabled, the users will be prompted to activate their copy of Windows.   If a customer doesn't activate within the required grace period they will receive frequent notifications alerting them that their system may not be genuine and what they need to do. The timing of when customers will first see the "Activate Your Copy of Windows" message can vary depending on what exploit is running on their system. Customers whose systems have the OEM BIOS exploit, for example, may not see anything for 15 days due to the way activation was set up for our OEM partners. Systems that have the Grace Timer exploit will be immediately prompted to activate once SP1 is installed.

So what about customers who DON'T install SP1 for a while? Is there some way they can tell if they're running one of these exploits? Why yes, in fact, there is.

Later this month Microsoft will release an update to Windows Vista through Windows Update that will enable Gold and SP1-installed systems to detect the presence of the Grace Timer and OEM BIOS exploits then alert the customer of their presence. The dialog box (shown below) also provides customers with guidance about what they can do to fix it and provides a Web link for more details, so that customers can learn about the particular exploit and learn how to disable and remove it. If they are a victim of software piracy, the linked Web pages will provide information on how to get genuine software. 

It's important to note that this update does not disable the exploits it finds –it simply alerts customers that exploits exist.  When we first release the update that enables Windows Vista to detect the exploits we will also make available a separate removal tool as a download. In the future we will integrate the removal of the exploits with the detection. I'm expecting to see that integration in our next release. We also wanted to minimize any interruption for genuine customers so if a Windows Vista customer does not have an exploit on their system, they won't see any dialog box after the update is applied. It's that simple.

By providing this kind of technology, we want to make sure our customers are able to have the best Windows experience possible.

As always, I welcome your feedback.

Published Thursday, February 21, 2008 9:00 AM by alexkoc

Filed under: exploit, detection, SP1

Source: Windows Genuine Advantage : Taking the next step with Windows Vista SP1

Thunderbird 2.0.0.12 is out

Published: 2008-02-27,
Last Updated: 2008-02-27 02:38:44 UTC
by Raul Siles (Version: 1)

A new Thunderbird version, 2.0.0.12, has been released. This version fixes five (5) known vulnerabilities: 1 critical, 3 high and 1 moderate.

MFSA 2008-12 Heap buffer overflow in external MIME bodies
MFSA 2008-07 Possible information disclosure in BMP decoder
MFSA 2008-05 Directory traversal via chrome: URI
MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
MFSA 2008-01 Crashes with evidence of memory corruption (rv:1.8.1.12)

We were told by the security people at Mozilla a couple of weeks ago, when Firefox 2.0.0.12 was released, that this Thunderbird version contains security fixes that will never be fixed in a 1.5 version. So, if you're still running Thunderbird 1.X, it is time to update!

Thanks Jason for the heads up.

--
Raul Siles
www.raulsiles.com

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

InterVideo WinDVD Media Center Denial of Service Vulnerabilities

Secunia Advisory:
SA28910

Release Date:
2008-02-27

Critical:

Less critical

Impact:
DoS

Where:
From local network

Solution Status:
Unpatched

Software:
InterVideo WinDVD Media Center

Description:
Parvez Anwar has discovered some vulnerabilities in InterVideo WinDVD Media Center, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerabilities are caused due to NULL-pointer dereference errors within InterVideo IMC Server (IMCSvr.exe) and InterVideo Home Theater (IHT.exe) when handling received packets. These can be exploited to crash the affected processes via a specially crafted packet containing two CRLF sequences.

The vulnerabilities are confirmed in version 2.11.15.0 of the installer package.

Solution:
Use in a trusted network environment only.

Provided and/or discovered by:
Parvez Anwar

Source: InterVideo WinDVD Media Center Denial of Service Vulnerabilities - Advisories - Secunia

Office 2003 SP3 distributed early via Windows Update

The plan of Microsoft is to distribute Office Service Pack 3... 30 days after it was made available.  This means user's should be seeing it today.  However, a user of Office 2003 received it 2 days ago. That's 2 days early MS ;)

Anyhoo, I hope you guys got it installed.  It's a recommended upgrade.

Source: Office 2003 SP3 distributed early via Windows Update - Donna's SecurityFlash

Another trojan embedded in a MS-Word DOC

Published: 2008-02-26,
Last Updated: 2008-02-27 01:51:53 UTC
by Adrien de Beaupre (Version: 2)

Once again this appears to be a targeted attack. There have been reports of a 'zero-day' however this has been discounted by Microsoft.

Cheers,
Adrien
Bell Canada

0 comment(s)

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc