Chris Mosby at myITforum.com

Now THIS is funny :) 

It Takes Two Minutes to Hack A Mac!

March 31st, 2008 by Aileen Clemente

The Mac world is shaken. IDG News Service’s Robert McMillan reports that Charlie Miller and two other security researchers from Independent Security Evaluators have hacked the wickedly slim Apple MacBook Air in a fleeting two minutes and walked away with $10,000 cash prize, the gorgeous laptop, and tons of bragging rights in CanSecWest PWN to OWN 2008 contest held in Vancouver. Miller’s earlier claim to fame was in being one of the researchers who first hacked the iPhone last year. That must make him Apple’s most favorite person in the whole world!

This contest, other than giving hackers an opportunity to win big money, aims to present new vulnerabilities in certain systems so that the affected vendors can address them. Open for attack were a Sony VAIO VGN-TZ37CN running Ubuntu 7.10, a Fujitsu U810 running Vista Ultimate SP1, and as mentioned, a MacBook Air running OSX 10.5.2. As of this writing, the VAIO and Fujitsu are still standing strong.

Miller’s team was able to expose MacBook Air’s vulnerability by “tricking” the judges into visiting a Web site where they have already set up an attack code. According to the sponsor’s Web site TippingPoint DVLabs blog, a newly discovered vulnerability in Safari, the browser that comes pre-installed in Air, was used to gain control of the system. Understandably, the more detailed method cannot be made public as previously agreed in a contract signed by the contestants.

Source: It Takes Two Minutes to Hack A Mac! | TrendLabs | Malware Blog - by Trend Micro

Tale of the iFrame Continues

March 31st, 2008 by Jake Soriano

Massive iFrame attacks on top Web sites still threaten online searches. The threat is not just continuing but, according to independent Internet security researcher Dancho Danchev, is getting bigger as well.

Trend Micro has recently reported two high-traffic sites that were iFramed earlier this month. The said attack relied on popular search terms that were not validated in search engines. Interestingly, this previous attack came less than a week after search results of popular Web sites ZDNet Asia and TorrentReactor were also found to have been iFramed.

Danchev says that the current poisoning also leads users to several redirection posts. He again lists what he believes are poisoned sites. These include the following:

• USAToday.com
• ABCNews.com
• News.com
• Target.com
• Packard Bell.com
• Walmart.com
• Rediff.com
• MiamiHerald.com
• Bloomingdales.com
• PatentStorm.us
• WebShots.com
• Sears.com
• Forbes.com

Trend Micro Threat Response engineers analyzed the said pages and found no traces of an ongoing compromise. The sites may have been already fixed by the time of our engineers’ verification. However, the threat in general continues to persist, as it would be very possible to encounter iFrame injections in some future time. Security researchers have yet to close in on a foolproof way to lock down a site from being compromised.

Source: Tale of the iFrame Continues | TrendLabs | Malware Blog - by Trend Micro

Audit Your Web Server Lately?

Web servers being hacked is nothing new and Web administrators continue to maintain their servers in the attempt to prevent this from happening. Well, it might a good time for everyone to audit their servers again because we have confirmed yet again another campaign of IFRAME injection attacks today. Earlier this month, we had a similar mass attack as well, making this a popular theme so far this year.

Earlier today, Dancho Danchev, a security consultant, published a blog about another batch of servers getting injected with malicious code and we have confirmed the attack here at Symantec. IFRAME code has been inserted into Web pages on these servers, leading to rogue security software and codec sites, further leading to downloads of Trojan.Zlob variants and dowloaders. These threats ultimately attempt to install misleading applications onto the compromised computers.

Please avoid the IP addresses below, which are hosting the unwanted files, for the time being. If you're an IT administrator, you will want to temporarily add them to the list of IPs to filter:

• 72.232.39.252
• 195.225.178.21
• 89.149.243.201
• 89.149.220.85

In the past we've seen many low-profile sites being targeted with the IFRAME attack, but this time the list of hacked sites include many high-profile sites as well. This is very disturbing because many big corporations often go out of their way to protect themselves, yet get hit like this. A reevaluation of how we secure our IT infrastructure may be in order.

Posted by Joji Hamada on March 28, 2008 12:45 AM

Source: Symantec Security Response Weblog: Audit Your Web Server Lately?

Shedding (Black)Light on the Master Boot Record
Posted by Antti @ 13:47 GMT | Comments

---

A while ago we blogged about the MBR rootkit, which has been getting attention from all the security vendors. We're glad to inform you that the latest version of the F-Secure BlackLight standalone rootkit scanner now detects MBR rootkit infections.

BlackLight has stood the test of time ever since it was released in the beginning of 2005. A new rootkit technique that has been able to evade detection has been a very rare event. The MBR rootkit is quite different from other rootkits we've seen over the years, so we had to add completely new technology into BlackLight to detect it successfully.
You can download standalone BlackLight here.

Source: Shedding (Black)Light on the Master Boot Record - F-Secure Weblog : News from the Lab

Blended, Targeted Attack in Mexico: Now a DNS Changer and A Botnet

March 27th, 2008 by Carolyn Guevarra

Virus Coordinator for Trend Micro Latin America, Jose Lopez Tello, recently discovered a very interesting malware attack that seems to be (at first blush) related to the previous Banamex phishing e-mails reported last January and earlier this month.

Similar to the past attacks, this malware aims to steal money by targeting customers of Banamex, the largest e-Bank in Mexico.

However, instead of using DNS poisoning method as the past attacks did, this malware uses a script to change the user’s DNS settings, and also installs a botnet client that is hosted at an IRC server in a U.S. hosting provider.

Based on Tello’s analysis, the infection chain is usually initiated by a fake greeting e-card that a user receives via email. This e-card contains a link, which when clicked downloads the malicious file Gusanito.exe.

Trend Micro detects this file as BKDR_VBBOT.AE. The difference between this new attack and the previous attacks is that, this time around, the malicious downloaded executable does not poison the user’s HOSTS file or the local router’s DNS table. Instead, it changes the DNS from the affected user’s computer using the following simple script:


dns name= source=static addr=[IP address] register=PRIMARY


Thus, when the user attempts to access www.banamex.com, he is redirected to a phishing Web site (which is actually located at the same fake DNS server).

The Botnet client code [BKDR_VBBOT.AE] also opens an IRC connection to the yet another, different U.S. -based host and channel to wait for commands from its botmaster, which is intended actually to send more of the same, original, bogus e-card greetings e-mails.

As of this writing, there are over ~650 bots already connected to the this botnet C&C (Command & Control Server) and are most probably sending out tons of fake greeting e-cards at this very moment. “In fact, you can see all the list emails that will be targeted,” adds Tello.

The malicious link has already been submitted to Trend Micro Content Security team for processing and blocking. The appropriate law enforcement and content providers have also been alerted to this, as well.

(Thanks to Paul Ferguson for additional technical background.)

-Update: March 29, 2008-

The detection BKDR_VBBOT.AE was renamed to WORM_KELVIR.EI.

Source: Blended, Targeted Attack in Mexico: Now a DNS Changer and A Botnet | TrendLabs | Malware Blog - by Trend Micro

TIM’s Customers: Victims of Phishing Attacks

March 27th, 2008 by Daver Cavalcanti

Just recently, Trend Micro discovered an FTP server in Uruguay that hosts a phishing Web site that targets Telecom Italia Mobile (TIM) customers, one of the largest mobile phone companies in Brazil.

The server’s IP address indicates that it may be affiliated with Russian or Ukrainian cyber criminals who have previously been affiliated with RBN, or the Russian Business Network. RBN was made notorious for it’s “bullet-proof” hosting facilities which have been linked to illegal activities such as child pornography, phishing, spam, and malware distribution.

Using an INDEX.HTML file, this phishing site has an ActiveX control that invites a user to view a video message purportedly from TIM Brazil. When accessed, it attempts to insert a malicious code on the client system and then send phishing messages to the affected user. This file changes daily and points to a new false URL that is sent via email to all those who fell victim to the fraudulent Web site.

Phishing is a technique used to trick users into divulging personal information (such as social security numbers, ATM PIN, and credit card numbers) through email or dubious Web sites. Perpetrators trick gullible users to send them private or personal information. To do this, they forge the Web site or an email of a legitimate company. These Web sites or email messages usually ask for information about the recipient. Alterations on the code of these bogus Web pages or email messages result in the information being redirected to the cyber criminals. When the user is tricked into divulging information, we say that (s)he has become a victim of a “phishing attack.”

The activeX is already detected by Trend Micro as POSSIBLE_MLWR- 1. The malicious URL, which hides the source of the downloadable file through an obfuscated code script and resolves to downloading a Banker Trojan downloader, win.exe, from a host located in Brazil which is already blocked by our URL filtering services.

Source: TIM’s Customers: Victims of Phishing Attacks | TrendLabs | Malware Blog - by Trend Micro

Zero-Day Exploits Target Microsoft Jet Flaw

March 27th, 2008 by JM Hipolito

Investigations are currently being conducted as reports of targeted attacks through an unpatched security flaw in Microsoft’s Jet Database Engine has surfaced.

This vulnerability is exploited through a specially crafted Microsoft Word document detected by Trend Micro as TROJ_EMBED.AA. The Word file launches a Microsoft Database (MDB) file detected as TROJ_MSJET.C, which serves as a mail-merge file once the document is opened. At this point the vulnerability is exploited, allowing the Word document to drop a malicious .EXE file on the affected system.

The mentioned Word file also drops files that Trend Micro detects as the following:

TROJ_AGENT.TBS

TROJ_SMALL.EGV

BKDR_DARKMOON.AC

TSPY_KEYLOG.CF

The following sofware are vulnerable to this attack:

Microsoft Word 2000 Service Pack 3

Microsoft Word 2002 Service Pack 3

Microsoft Word 2003 Service Pack 2

Microsoft Word 2003 Service Pack 3

Microsoft Word 2007

Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000

Windows XP

Windows Server 2003 Service Pack 1

On the other hand, systems running under Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not affected by this vulnerability as they include a version of the Microsoft Jet Database Engine that is no longer vulnerable to this issue.

More information regarding this vulnerability can be found on this advisory from Microsoft:

Microsoft Security Advisory (950627)

The Microsoft Jet (Joint Engine Technology) Database Engine is the underlying building block of Microsoft’s databases (collections of information structured in a certain way) allowing the manipulation of relational database via a single interface.

Users are advised to keep their scan engines, applications and operating systems updated and to avoid clicking on attachments in spammed email messages.

Source: Zero-Day Exploits Target Microsoft Jet Flaw | TrendLabs | Malware Blog - by Trend Micro

Shift happens	Posted by Mikko @ 12:26 GMT | postCount('00001408'); Comments

A year or two ago, most malware was spread via e-mail attachments, which resulted in mass outbreaks like Bagle, Mydoom and Warezov. Nowadays sending .EXE attachments in e-mail doesn't work so well for the criminals because almost every company and organization is filtering out such risky attachments from their e-mail traffic.

The criminals’ new preferred way of spreading malware is by drive-by downloads on the Web. These attacks often still start with an e-mail spam run but the attachment in the e-mail has been replaced by a web link, which takes you to the malicious web site. So instead of getting infected over SMTP, you get infected over HTTP.

Infection by a drive-by download can happen automatically just by visiting a web site, unless you have a fully patched operating system, browser and browser plug-ins. Unfortunately, most people have some vulnerabilities in their systems. Infection can also take place when you are fooled into manually clicking on a download and running a program from the web page that contains the malware.

There are several methods criminals use to gather traffic to these websites. A common approach is to launch an e-mail spam campaign containing messages that tempt people to click on a link. Messages like "There is a video of you on YouTube", or "You have received a greeting card", or "Thank you for your order" have been popular baits.

Another method used by criminals is to create many web pages with thousands of different keywords which are indexed by Google, and then simply wait for people to visit these sites. So when you do a search for something innocuous like "knitting mittens" (as a random example), and click on a search result that looks just like all the others, you are actually getting your computer infected. Typically, an infection by an automatic exploit happens without you realizing it or seeing anything strange on the computer screen.

The third method of distributing malware involves the criminals hacking into existing high profile, high traffic web sites. Unlike the joke defacements that some hackers played on the front pages of prominent web sites in the past, today’s criminal hackers don’t change the front page at all. They simply insert a line of javascript on the front page which uses an exploit to infect your machine when you go there. Everything works and looks as normal.



This has happened to the web sites of some popular magazines which can have a million users every single day. People trust sites that are part of their daily routine, and they couldn’t suspect that anything bad could happen when they go there.

Another vector for drive-by downloads are infiltrated ad networks. We are seeing more and more advertising displayed on high-profile websites. By infiltrating the ad networks, the criminals don’t have to hack a site but their exploit code will still be shown to millions of users, often without the knowledge of the webmaster of those sites.

It is important to be aware of this shift from SMTP to HTTP infections, which can be exploited by the criminals in many ways. Companies often measure their risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't.

Individuals and companies should therefore be scanning their web traffic for malware – as well as filtering their FTP traffic. In parallel to the switch from SMTP to HTTP as a way of spreading malware, we are now also seeing more and more malicious e-mails that link to malware via FTP links.

This report was an excerpt from our Quarterly Security Wrapup, which has been released today.

Download the full wrapup.

Source: Shift happens - F-Secure Weblog : News from the Lab

BadWords From Bogus AdWords

March 27th, 2008 by Christopher Talampas

Trend Micro’s Content Security Web Blocking Team has recently encountered attempts to phish account information of users that subscribe to Google’s advertising platform, Google AdWords. The phishing email message appears to be from Google Adwords and tells the user to log on to Adwords and update their billing information, as shown in the image below:

It instructs the user to click a link which appears to the user as a legitimate Google Adwords link, but actually leads to a malicious Web site. Account information entered by the unknowing user on the malicious Web site is then sent to an unauthorized user.

Such technique may trick to most users, making them think the URL shown in the message will connect them to the legitimate Web site. Furthermore, Google is generally known for its sparse, clean email and Web site interfaces so this simple-looking email message can be quite convincing. Users are advised to report it here if they receive a message similar to the one above.

Source: BadWords From Bogus AdWords | TrendLabs | Malware Blog - by Trend Micro

Practical Cold Boot Attacks

Building on the Cold Boot research that was released in February of 2008, Tom Liston and Sherri Davidoff of Intelguardians presented “Cold Memory Forensics Work Shop” at CanSecWest 2008. When a system is cold booted, research discovered that the supposed volatility of conventional RAM is a half truth. In many cases memory will continue to hold state for seconds and sometimes even minutes after a system has been powered off.

In a Cold Boot attack, an attacker with physical access to a system reboots the computer and dumps the contents of RAM for forensic analysis, recovering sensitive information (passwords, encryption keys, documents etc). In the Cold Memory Forensics Work Shop, Tom and Sherri discussed their findings in leveraging the Cold Boot techniques to harvest information from systems exposed during penetration testing, as well as their work in developing tools that will help quickly identify passwords that were stored in memory. Their goal is to be able retrieve passwords within minutes of obtaining physical access to a target system.

The approach used by the researchers is quite novel. The tools they are developing utilize a rudimentary signature-based system to flag static memory components which are usually present near sensitive pieces of information in memory (i.e. passwords). This simple enhancement to the previously published techniques makes this attack far more practical when sifting through large amounts of data obtained from the target system. In their presentation they talked about several cases where they were able to obtain passwords for a variety of popular applications.

At the end of the Cold Memory Forensics Work Shop, William Paul and Jacob Appelbaum made themselves available to answer additional questions about the Cold Boot attacks. William Paul also demoed a modified iPod that could be used to boot a system and dump the consents of the RAM in under 5 minutes. This lends credence to how practical and innocuous this attack can be.

This presentation should bring the risks associated with Cold Boot attacks to the forefront of people’s minds. That being said, although sensitive information is encrypted on disk, it is decrypted in memory and memory is more persistent than previously believed. This will require re-thinking of how some of our applications are designed and how we can work towards minimizing these types of problems. In a cube life world, systems are often left accessible to anyone with access to the office. Just as many offices implement a “clean desk” policy, a “clean desktop” policy may be required until a more permanent solution is presented.

Posted by Josh Talbot on March 27, 2008 05:00 AM

Source: Symantec Security Response Weblog: Practical Cold Boot Attacks

Its just not safe out there anymore....

Massive IFRAME SEO Poisoning Attack Continuing

Last week's massive IFRAME injection attack is slowly turning into a what looks like a large scale web application vulnerabilities audit of high profile sites. Following the timely news coverage, Symantec's rating for the attack as medium risk, StopBadware commenting on XP Antivirus 2008, and US-CERT issuing a warning about the incident, after another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site's web application security practices - or the lack of.
What has changed since the last time? The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves.

Keep it Simple Stupid for the sake efficiency is what makes the campaign relatively easy to track once you understand the importance of hot leads, and real-time assessments for the purpose of setting the foundation for someone else's upcoming piece of the puzzle in an OSINT manner. The main IPs within the IFRAMES acting as redirection points to the newly introduced rogue software and malware, remain the same, and are still active. The very latest high profile sites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants :

USAToday.com, ABCNews.com, News.com, Target.com, Packard Bell.com, Walmart.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Sears.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Circuitcity.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu.

Which are the main IPs injected as IFRAME redirection points?

72.232.39.252

NetRange: 72.232.0.0 - 72.233.127.255

CIDR: 72.232.0.0/16, 72.233.0.0/17

NetName: LAYERED-TECH-

NetHandle: NET-72-232-0-0-1

Parent: NET-72-0-0-0-0
NetType: Direct Allocation

NameServer: NS1.LAYEREDTECH.COM

NameServer: NS2.LAYEREDTECH.COM

Comment: abuse@layeredtech.com

195.225.178.21
route: 195.225.176.0/22

descr: NETCATHOST (full block)

mnt-routes: WZNET-MNT

mnt-routes: NETCATHOST-MNT

origin: AS31159

notify: vs@netcathost.com

remarks: Abuse contacts: abuse@netcathost.com

89.149.243.201

inetnum: 89.149.241.0 - 89.149.244.255

netname: NETDIRECT-NET
remarks: INFRA-AW

admin-c: WW200-RIPE

tech-c: SR614-RIPE
changed: technik@netdirekt.de 20070619

89.149.220.85

inetnum: 89.149.220.0 - 89.149.221.255

netname: NETDIRECT-NET

remarks: INFRA-AW

admin-c: WW200-RIPE

tech-c: SR614-RIPE

changed: technik@netdirekt.de 20070619

Newly introduced malware serving domains upon loading the IFRAMES :

mynudedirect.com/3/5144 (216.255.186.107) loads mynudenetwork.com/flash2/?aff=5144 (85.255.120.203) which attempts to load mynudenetwork.com/load.php?aff=5144&saff=0&sid=3 where the malware is attempting to load upon accepting the ActiveX object :

Scanners Result: Result: 12/32 (37.5%)

Suspicious:W32/Malware!Gemini; W32/BHO.BVW

File size: 107536 bytes

MD5: e50f2c9874a128d4c15e72d26c78352c

SHA1: 91f8a0e2531ea63ce22d0c7f90e7366a78ebeb8a

Moreover gift-vip.net/images/index1.php (195.225.178.19) is still loading from the previous campaign, this time pointing to webmovies-b.com/movie/black/0/21/411/0/ (58.65.234.25), and of course, e.pepato.org/e/ads.php?b=3029 (58.65.238.59) :

Scanners Result: 2/32 (6.25%)

JS.Feebs.rv; JS/Feebs.gen2 @ MM

File size: 16098 bytes

MD5: 64bbd8ba8a0c9ce009d19f5b8c9d426e

SHA1: 1b313198ef140d2c74f36aa84c13afe9497865b6

We also have vipasotka.com/in.php?adv=5032&val=43c46ed2 (119.42.149.22) loading and redirecting to golnanosat.com/in.php?adv=5058&val=e32a412f (119.42.149.22)

Scanners Result : Result: 11/32 (34.38%)

Trojan.Crypt.AN; FraudTool.Win32.UltimateDefender.cm

File size: 61440 bytes

MD5: 5d83515199803e1fbcd3d2d8e0cd4ce5

SHA1: 4c1f0eba4be895cf3b018e41fa7f13523424874d

Last but not least is d08r.cn (203.174.83.55) a new domain introduced within the IFRAMES, which is also responding to, another scammy ecosystem :

07search.com
5m9h41.com
a666hosting.info

gzoe7w.com
l6q7x6.com
nashepivo.com
nbb3g1.com
sraly.com
uvilo.com
vmksxo.com
credits-counselor.com
hx0k21.com
mob-shop.net
smart-search.net

For the time being, Google is actively filtering the results, in fact removing the cached pages on number of domains when I last checked, the practice makes it both difficult to assess how many and which sites are actually affected, and of course, undermining the SEO poisoning, as without it the input validation and injecting the IFRAMEs would have never been able to attract traffic at the first place.
The attack is now continuing, starting two weeks ago, the main IPs behind the IFRAMES are still active, new pieces of malware and rogue software is introduced hosting for which is still courtesy of the RBN, and we're definitely going to see many other sites with high page ranks targeted by a single massive SEO poisoning in a combination with IFRAME injections. Which site is next? Let's hope not yours, as if you don't take care of your web application vulnerabilities, someone else will.

Related posts:
More High Profile Sites IFRAME Injected
More CNET Sites Under IFRAME Attack
ZDNet Asia and TorrentReactor IFRAME-ed
Rogue RBN Software Pushed Through Blackhat SEO
Massive RealPlayer Exploit Embedded Attack
Another Massive Embedded Malware Attack
Yet Another Massive Embedded Malware Attack
Massive Blackhat SEO Targeting Blogspot
Massive Online Games Malware Attack

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: Massive IFRAME SEO Poisoning Attack Continuing

‘Targeted Attack’ Mania

Thursday March 27, 2008 at 7:00 am CST
Posted by Craig Schmugar

Trackback

One of my roles at McAfee Avert Labs is to take a step back from the day-to-day attacks, and look at the bigger picture. To review threat trends and forecast what’s to come. Some threats such as Web Feed Attacks and IM are more easily defined and quantified. Other threats are a little more abstract after you scratch the surface.

In recent years the infamous “targeted attack” has gained much media attention. We often heard about a “segment” of users being hit, such as Myspace or Facebook users. I recall snickering the first time I heard a report stating that “home users” were the most targeted of all. I suppose next we’ll hear that Internet users are the most targeted.

So what does the word targeted in targeted attack really mean? One could argue that anyone hit with an attack that was sent to him or her specifically (as in: the email message containing the virus was sent to your address) was a victim of a targeted attack, but that definition is way too broad, as the vast majority of all attacks would then be considered targeted. I pondered the definition of targeted attacks for a bit, trying to think of a simple yet concrete definition. I landed on the work discrimination. For me the key aspect of any targeted attack is that it must discriminate, otherwise the attack is either random, or one of opportunity.

Consider Tom, a man who walks into a grocery store, and stops by the tomatoes. He gets the impulse to pick up a few of the mushy ones and hurls them at shoppers. Was this a targeted attack? I’m sure the headlines would read “XYZ Mart Shoppers Targeted by Tomato Mad Man,” but were they really? Those hit were simply in the wrong place at the wrong time; casualties of a random attack. Tom did not discriminate; he aimed for whoever was in proximity (if he aimed at all). If there happened to be five grandmothers nearby, this would still not have been a grandmother-targeted attack.

To bring this back to computer security, spammers often use massive address lists during campaigns. When spammers want to reach as many addresses as possible, they cast a wide net, sending messages to each address on the list–no discrimination, no targeted attack.

Consider a scenario in which an attacker discovers a flaw in Facebook. He may exploit that flaw to reach as many users as possible. Again, “Facebook users” were not targeted here, as there was no discrimination. The Facebook bug simply provided an opportunity.

Here’s a real-world example of a targeted attack. Select U.S. government contractors were sent email messages that contained exploited PowerPoint documents that install a remote-access Trojan on victims’ systems. Here “select U.S. government contractors” were singled out; not “government contractors,” not “email users,” not “PowerPoint users,” and not “Microsoft” (maker of PowerPoint).

In my Facebook example one could argue that the Facebook company itself was targeted; someone had to discover and exploit a flaw in that scenario to get to the user base. However, in my targeted U.S. government contractors example, few would consider Microsoft the target of that attack. The PowerPoint vulnerability was simply the means to an end, providing an opportunity.

Let’s look at another type of attack.

Some publicized targeted attacks used personal information. Potential victims may receive an email message containing not only their names, but also places of business, and possibly their titles, addresses, or phone numbers. Does that make these attacks targeted? Not necessarily. Yes, these are context-aware or personalized attacks; but without discrimination, these should not be considered targeted.

Other attacks rely on applications typically used by a segment of the population, such as music or video players, or social-networking sites. Does this mean that segment is targeted? Those users may be at a greater risk of being attacked, but that does not make them targeted. Accordingly, malicious fake video codecs and the like do not necessarily target home users!

Why Target?
In an effort to keep this blog from getting too long, here’s a short list of why attackers might keep an attack targeted:

• To keep a low profile for the malicious code (an effort to evade/delay malcode detection by flying under the radar)
• To keep a low profile for the entity behind the attack (an effort to evade prosecution)
• To minimize “casualties of war” (most attackers don’t really care if innocent bystanders get infected, but some small segment likely does).

Asking the questions why and how the XYZ attack was limited can help determine if the attack was indeed targeted.

What’s Really the Target?
Another litmus test when attempting to validate a targeted attack is to ask: What is really the target? If the answer is any and every username and password the attackers can get their hands on, then the attack is probably not targeted. We often hear about a bank being targeted in a massive phishing attack. Although such an attack may have been geared toward users of a single bank, one must ask Why? Imagine, how effective would a single phishing campaign be if a spammed email message listed dozens of banking sites and asked users to click the link for their banks? And if the attacker must limit the phishing messages to a single bank, one could consider this to be a process of elimination, and elimination does not equal discrimination.

I can appreciate the challenge the media face when writing the headline for an attack that affects only a segment of users. It’s just unfortunate that the term targeted is so overused that estimates of the problem can greatly vary.

Source: Computer Security Research - McAfee Avert Labs Blog

 GREAT STUFF!!

Sneak Peek – Client Status Reporting in Configuration Manager 2007 R2

Recently, I’ve been working on the documentation set for a great new feature in the upcoming Configuration Manager 2007 R2, client status reporting.

What’s client status reporting, you might ask? Those of you who’ve been around since SMS 2003 days might remember the SMS 2003 client health monitoring tool which gave you the ability to identify a number of site system and client problems on your site. This was a great tool, but had some disadvantages such as:

·        The tool stored its data in a separate database adding administrative overhead for the site administrator.

·        Client health reports could not be displayed in the SMS console; the tool used Microsoft Excel and Internet Explorer to display reports.

Client status reporting is an evolution of this tool designed to integrate with Configuration Manager 2007 R2 and provides a number of improvements over existing methods of diagnosing client status:

·        Identifies clients that are online, but are not requesting policy

·        Generates trending reports, showing client status over a period of time

·        Provides standard Configuration Manager reports to examine the status of clients

·        Identifies clients that are online, but are experiencing problems with one or more client components

·        Identifies clients that are online, but do not have up to date discovery or inventory information

·        Identifies offline clients

·        Identifies obsolete clients

Another advantage of this tool is that it’s not dependant on Configuration Manager site systems. If an inbox on the site server is backlogged, this will not affect client status reporting.

The feature uses a number of sources from which to analyze client status. Client status reporting retrieves discovery, inventory and heartbeat data from the site database together with policy request log file information from management points. This data is compared to user defined client activity periods. If the client has been active during this period, it is classed as ‘active’ and no further action is taken. If the client has not been active during this period, it is classed as ‘inactive’. Further testing can then be optionally performed on inactive clients to discover the problem.

Client status reporting is a reporting tool only; it is unable to repair problems with your clients and cannot always give you the exact reason why a problem occurred. However, we think that you are going to find client status reporting to be a great tool to broaden your knowledge of what’s happening with client computers at your site. This information should ultimately help you to achieve greater client coverage - and hence more successful software rollouts.

Beta documentation for this tool has already been written and we’re working very hard to produce a great set of documentation for the final release. Search for the topic ‘Tasks for Client Status Reporting in Configuration Manager R2’ in the beta documentation library for help getting started.

You can register for the Configuration Manager SP1 and R2 betas at the following URL:

https://connect.microsoft.com/site/sitehome.aspx?SiteID=16

 Rob Stack

This post is provided AS IS and confers no warranties

Published Tuesday, March 25, 2008 7:10 PM by WEMD UA - SMS Writing Team

Source: Configuration Manager Writers - Announcements, Comments and other Stuff : Sneak Peek – Client Status Reporting in Configuration Manager 2007 R2

Secure Your Wireless Router

Wednesday March 26, 2008 at 10:23 pm CST
Posted by Zhu Cheng

Trackback

Wireless routers are very common in homes in China nowadays. Unfortunately, properly secured wireless routers are not. Many are still not configured with a network key. This creates a serious security problem.

To demonstrate, just from my home I can easily find a wireless router with no network key. Most of these routers provide a DHCP service, so my laptop can obtain an IP address and access the Internet using that router.

Having obtained an IP address, I run the command “ipconfig /all” to get the IP address of the gateway (router). Then I access that IP via HTTP using Internet Explorer. I get a prompt for a username and password. From this prompt, I learn that the router is manufactured by TP-Link. I easily find the default username and password for this router online. I try the defaults, and I am in luck.

I am now logged into the wireless router’s administration page. No advanced technology was needed. To a person with malicious intentions, the possibilities are great.

To test how prevalent this problem is, I use my mobile phone with WiFi capability and find many wireless routers around my home. Many are not secure, and many have the default admin username and password.

So secure your wireless router. Changing the default admin password and setting up wireless security just takes a minute, but it goes a long way in preventing a big security problem.

Source: Computer Security Research - McAfee Avert Labs Blog

More analysis on the MS Jet Exploits camouflaging as Microsoft Word files

Wednesday March 26, 2008 at 4:27 pm CST
Posted by Shinsuke Honjo

Trackback

Recently, we blogged about MS Access exploits are being targeted trough Microsoft Word. In this blog we dig deeper, to see the structure of the files used in this attack, and analyze how the payload is delivered.

In the following example, the threat arrived as 2 files with “.doc” extensions (xxx1.doc and xxx2.doc); however one of the files is actually a Microsoft Access database containing the MS Jet exploit.  The whole story is depicted in Figure 1.

Figure 1: The flow of the trojan installation process

When users open the MS Word file xxx1.doc, the MS Access file xxx2.doc is loaded through the data link properties. Then the shellcode in the xxx2.doc file runs (triggered by the MS Jet exploit in the same file) and decodes itself in typical fashion.  The shell code launches WinWord.exe to open the innocent Word file embedded in “xxx1.doc”.

While the shellcode opens the Word file, it also decodes the executable file embedded in xxx1.doc. The decoding includes the simple XOR with a mask of 0xFF, and to deobfuscate the first 8 bytes of MZ header which is masked with XOR mask 0xAF.

You may see the data link aspect of xxx1.doc by placing the xxx2.doc file in a different folder than xxx1.doc. When users open xxx1.doc, the “Data Link Properties” window appears.  The specified database name is a the path containing xxx2.doc and the password is empty.  Because of this data link, xxx2.doc is typically loaded silently.

The trojan installation techniques used in this threat are nothing special and can be seen in other exploit files; however the method to trick users in this attack, by using non-exploit OLE files as loaders of other exploit OLE files is something new. As we see from past attacks, we no longer can rely on file extensions. We should continuously be careful with all unknown OLE files and not open untrusted email attachments.

Source: Computer Security Research - McAfee Avert Labs Blog