June 2008 - Posts

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: June 30, 2008

********************************************************************

Security Advisories Updated or Released Today ==============================================

* Microsoft Security Advisory (954960)

- Title: Microsoft Windows Server Update Services (WSUS) Blocked from Deploying Security Updates

- http://www.microsoft.com/technet/security/advisory/954960.mspx

- Revision Note: Advsiory published.

Internet Explorer 7 Frame Location Handling Vulnerability

Advisory Available in German

Secunia Advisory:
SA30851

Release Date:
2008-06-26

Critical:

Moderately critical

Impact:
Security Bypass
Spoofing

Where:
From remote

Solution Status:
Unpatched

Software:
Microsoft Internet Explorer 7.x

 

Description:
sirdarckcat has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct spoofing attacks.

The problem is that it is possible for a website to modify the location of another frame in another window by setting the location to an object instead of a string. This can be exploited to load malicious content into a frame of a trusted website.

This may be a variant of:
SA11966

The vulnerability is confirmed in IE7. Other versions may also be affected.

Solution:
Do not visit or follow links from untrusted websites.

Provided and/or discovered by:
sirdarckcat

Original Advisory:
http://sirdarckcat.blogspot.com/2008/05/ghosts-for-ie8-and-ie75730.html
http://sirdarckcat.blogspot.com/2008/05/browsers-ghost-busters.html

Other References:
GNUCITIZEN:
http://www.gnucitizen.org/blog/ghost-busters/

SA11966:
http://secunia.com/advisories/11966/

Jun25

Phishing Mail Sent via Yahoo! Groups

by Jake Soriano (Technical Communications)

Spammers were doing it before so it was also only a matter of time before phishers learned the trick and started doing it too. “Personalized” phishing emails, even with all the available social engineering techniques out there, are old, right? Now phishing emails in Yahoo! Groups, that’s new.

TrendLabs’ Content Security Team got hold of the following phishing email message:

Phishers appear to have sent this email through Yahoo! Groups via either of the standard posting methods: through the Yahoo! Groups site’s Post Message feature or through sending an email to the group’s @yahoogroups.com address. Thus, users who receive this email from a Yahoo! Group (of which they are members) are likely to believe that it is legitimate.

The success of this phishing attempt further depends on how the group mailing list is actually moderated (there are settings that allow the moderator to approve all messages before they are sent out to members, see Yahoo! Groups spam abuse prevention features), and the veracity of past emails sent to the same distribution list. All these efforts and clues are laid to waste, however, should the email come from a legitimate member with an infected or bot-controlled PC, as is typical in spamming operations.

However, we detect this as a phishing attack because the link to which it connects the recipient to is different from where the browser actually connects to. Even more to the point, the URL leads to a page that steals user identities by gathering personal and sensitive user information, such as phone numbers, PINs, passwords, account numbers and debit card numbers. These information are sent over to the phishers who may then peruse the information themselves or sell them in underground forums to cyber criminals. A screenshot of the phishing page is found below.

Note that the legitimate URL of The Royal Bank of Scotland (rbs.co.uk) is different from the domain of the URL which opens to the above page (rtsrv.co.uk).

Trend Micro Smart Protection Network uses an integrated approach that protects users against online threats before users ever see them. It ensures that this phishing attempt does not reach Trend Micro users’ email inboxes, while blocking the malicious domain in case this phishing attempt slips through.

Moderators of Yahoo! Groups (but not only!) should take time to read about their options related to keeping their members safe from spam and phishing attempts (or even just off-topic emails) at the Yahoo! Groups FAQ on spam abuse prevention, and list management in general.

Thanks to Grace Ermitanyo, Anti-phishing Engineer, for the detailed analysis about this attack.

Jun25

More Pop Culture Spam

by Roderick Ordoñez (Technical Communications)

We have been seeing a slew of spam bearing mismatched or unrelated subjects and message bodies similar to these:

Other subjects seen so far:

  • Hiliary admits past failures
  • Star Trek star dies at age 79
  • Find out about Harry Potter’s last novel
  • Turner Empire poised for bankruptcy file
  • Obama suffers setback in polls due to sex secrets
  • Nokia unveils revolutionary new phone design
  • Ford unveils latest 2 door design hatch
  • Italy knocked out of Euro 2008
  • Britney found hanged in locker room

Message bodies seen so far:

  • Lindsay Lohan converts to Islam, causes uproar
  • Heir to Prada empire found strangled
  • Don’t belittle the effects of power enlargement
  • Fantastic upgrade to your manhood available now
  • Try out the latest herbal solution that will make you a new superhero
  • Lindsay Lohan converts to Islam
  • Italy showed France the difference in length

The body text is followed by clickable URLs, similarly made up of irrelevant sounding domain names, all ending in R.HTML. All R.HTML files lead to the download of the same malware, VIDEO.EXE (detected as TROJ_AGENT.ISU, similar file name last seen in this spam run), via redirect, iFrame and codec-style installation codes found in r.html. For others, however, they will be redirected first to hxxp:// 61.{BLOCKED}.{BLOCKED}.12/index.php and will see a fake 404 page:

The algorithm also ends in the download of TROJ_AGENT.ISU, though from hxxp:// 61.{BLOCKED}.{BLOCKED}.12 instead. In this case, the INDEX.PHP-generated pages have random variables used per each generated page and the resulting Trojan installed in the system will also have a random file name. TROJ_AGENT variants are small files that aid a main malware one way or another (by downloading the main malware file from the Internet, or hiding it, or helping with its autostart technique).

The spam-malware tandem is a common tactic, and most spam does lead to malware. Thus, the tried and tested method of not clicking on links sent through spam is highly effective in protecting your system, as well as keeping one’s spam filter and antivirus up-to-date. Remember: links received in spam lead to malware, and ultimately, to disaster.

Malware writers never tire of using VIDEO.EXE as a file name for malware. Here are some posts of malware hiding under the said overused disguise:

ICANN and IANA's Domain Names Hijacked by the NetDevilz Hacking Group

The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the NetDevilz Turkish hacking group which also hijacked Photobucket’s domain on the 18th of June. Zone-H mirrored the defacements, some of which still remain active for the time being.

Read more here - "ICANN and IANA’s domains hijacked by Turkish hacking group". A single email appears to have been used in the updated DNS records of all domains, logically courtesy of the NetDevilz team - foricann1230@gmail.com

More details will be posted as soon as they emerge.

New spam trend: Spammers take advantage of high gas prices and credit crunch to advertise products and services - Date: 06.25.2008

Threat Type: Malicious Web Sites / Malicious Code

Websense® Security Labs™ ThreatSeeker™ Network has detected an increase in spam targeting the current economic factors.

The tough economic times are hard on consumers, but spammers have not skipped a beat. They are now using economic factors like high gas prices, the credit crunch and housing costs to advertise their products and services. Today the Websense® Security Labs™ ThreatSeeker™ Network is reporting an increase in spam surrounding these themes. Additionally, with a growing number of people facing foreclosure and other financial distress, Websense researchers are also noticing an uptick in solicitations for credit cards, credit reporting services, and debt consolidation services.

Scammers have long used "pump and dump" spam stock investment schemes which attempt to boost the price of a company's stock through false and misleading promotions or highly exaggerated statements. As a sign of the times, with the stock market down, Websense researchers have also noticed fewer and fewer of these campaigns.

Here is an example of spam advertising a product which claims to lower your gas costs:

Here is an example of spam advertising a credit score lookup service:

Here is an example of spam advertising a service to obtain more credit:

Here is an example of spam from the folks behind the Nigerian 419 fraud:

Jun25

Turkish Hackers Relive Memories in Photobucket

by Jovi Umawing (Technical Communications)

Photobucket, one of cyberspace’s more popular image sharing Web sites, was attacked by the Turkish hacker group NetDevilz. Reports spread in forums or discussion boards and security blogger posts. The Register also reported of the attack.

Hackers were said to have used a Domain Name Server (DNS) hack that results to anyone who accesses photobucket.com to be directed not to the legitimate page but to a greeting page from the hackers who performed the attack. A screenshot of the said page can no longer be replicated at this time, but one of the forum posters saved the text (in Turkish), which are as follows:

# NeTDevilz #
… ve NeTDevilz yeniden sahnede
Bizi hatırlayan var mı ? Unutulduğumuzu düşündük ve tekrar
hatırlatmaya karar verdik !
( Turkish hackers group )
ZeberuS - GeCeCi - MiLaNo - The_BeKiR - h4ckinger - SerSaK - KinSize
we are came back !
©2008 NetDevilz Co.
We’re not first,But We’re the BEST!

The text approximately translates to the following (thanks to a post from Paul Mah):

“Is there anyone who remembers us? We thought you forgot us and we decided to remind you again.”

Though Photobucket.com is already back to normal, those concerned about this issue are still waiting for an update from its owners, but as of this writing, no word has been out as to whether the image hosting site would confirm that its servers had indeed been hacked, and also the scope of damage. Users, unfortunately, are left to content themselves with this response, which Photobucket posted in its own forum, much to the frustration of those concerned:

Almost two weeks ago, independent security researcher Dancho Danchev reported in his blog about an attack to ImageShack, a site similar in nature to Photobucket. Only this time, the image-sharing site was attacked using typo squatting and users are directed to sites that serve malware. More details from ZDNet here.

As to motive, it seems the Turkish hacker group is only out this time to lay on some good ol’ cyber vandalism (note that the attack seems to have been conducted against Photobucket’s servers, and not on affected systems as others may think). The fact that the Turkish hacker group has successfully infiltrated the image-sharing site’s servers is a neon warning sign that they can do more damage to the site–or any site for that matter–than just putting up a sign to declare their existence. Perhaps it is a wise move to take this ‘threat-greeting’ seriously. No one knows if they’d be the group responsible for cooking up the next hottest security threat that can cripple a bigger chunk of cyberspace. Here’s to hoping that would not be the case.

Below are some of the most notable DNS attacks on sites to date:

Internet Explorer 6 Window "location" Handling Vulnerability
Advisory Available in German

Secunia Advisory:
SA30857

Release Date:
2008-06-26

Last Update:
2008-06-27

Critical:

Moderately critical

Impact:
Security Bypass
Cross Site Scripting

Where:
From remote

Solution Status:
Unpatched

Software:
Microsoft Internet Explorer 6.x


Description:
Ph4nt0m Security Team has discovered a vulnerability in Internet Explorer 6, which can be exploited by malicious people to conduct cross-domain scripting attacks.

The vulnerability is caused due to an input validation error when handling the "location" or "location.href" property of a window object. This can be exploited by a malicious website to e.g. open a trusted site and execute arbitrary script code in a user's browser session in context of the trusted site.

The vulnerability is confirmed in IE6 on Windows XP SP2. Other versions may also be affected.

Solution:
Upgrade to Internet Explorer 7, which is unaffected.

Provided and/or discovered by:
Ph4nt0m Security Team

Changelog:
2008-06-27: Added link to US-CERT.

Original Advisory:
Ph4nt0m Security Team (Chinese):
http://www.ph4nt0m.org-a.googlepages.com/PSTZine_0x02_0x04.txt

Other References:
US-CERT VU#923508:
http://www.kb.cert.org/vuls/id/923508
June 27th, 2008

Internet Explorer ‘feature’ causing drive-by malware attacks

Posted by Ryan Naraine @ 9:07 am

Internet Explorer ‘feature’ causing drive-by malware attackMy colleague at Kaspersky Lab Roel Schouwenberg (see disclosure) has discovered a drive-by malware download taking advantage of what Microsoft describes as an Internet Explorer “feature” to launch cross-site scripting attacks.

The attack, discovered at a compromised legitimate site, is using a modified GIF file to exploit the cross-site scripting feature/vulnerability.

Schouwenberg (left) said he reported the vulnerability to Microsoft a long time ago, warning the company that JavaScript embedded into GIF files can be executed under certain circumstances.  Microsoft disagreed and the issue was never patched.

Fast forward to the latest site compromise — on a high traffic Web site — where a GIF file containing an embedded iFrame is pointing IE users to a known malicious site.  (The malicious site is currently offline but there’s evidence that it’s tied to ID-theft attacks).

“This is a step more advanced than today’s very common Web site compromises where some JavaScript gets added to the main page,” Schouwenberg said.  In this case, a “view source” at the compromised site will not reveal any malicious code, making swift analysis harder.

Schouwenberg has contacted Microsoft again to reconsider its position on this issue.

Jun25

PDF Exploit Causes BSoD???

by Edgardo Diaz, Jr. (Threats Analyst)

We have discovered a new Adobe Reader/Acrobat exploit (detected since 24 June 2008 as TROJ_PIDIEF.AC) hosted on the following URL:

http://{BLOCKED}e-actions.com/secure.cgi?…

The vulnerability targeted by this Trojan causes Adobe Acrobat to execute arbitrary malicious code that downloads and executes a file found in:

http://{BLOCKED}e-actions.com/secure.cgi?…

The downloaded file is saved inside a temporary folder as Eyal.exe. Trend Micro detects this file as TROJ_DLOAD.BO. This Trojan modifies the current wallpaper of the infected user to:


Figure 1. Wallpaper modified by TROJ_DLOAD.BO.

Furthermore, TROJ_DLOAD.BO downloads screensavers that disable the Screensaver tab in the Display Properties of the compromised PC:


Figure 2. TROJ_DLOAD.BO disables the Screensaver tab normally found among the tabs under Display Properties.

TROJ_DLOAD.BO then displays random screensavers, some of which are shown below:


Figure 3. Sample screensaver 1


Figure 4. Sample screensaver 2


Figure 5. Sample screensaver 3


Figure 6. Sample screensaver 4

According to the Adobe Security Bulletin on this issue, the vulnerability exists in Adobe Reader 7.0.9 and earlier versions, 8.0 to 8.1.2, and in Adobe Acrobat 7.0.9 and earlier versions, 8.0 to 8.1.2. From our analysis the exploit does work on lower versions but only causes 8.1.2 to crash.

We believe that this was not the first time this specific vulnerability was exploited. So far, we have two other reports of malicious PDFs that behave in somewhat the same manner as the exploit discussed here. They are TROJ_PIDIEF.NN (detected since 07 June 2008) and TROJ_PIDIEF.AE (detected since 24 June 2008).

As of the most recent testing, TROJ_PIDIEF.AC is observed to download an info-stealer (mostly monitoring and gathering information about running processes, installed programs and system information) and a spammer which connects the compromised PC to a botnet. The common danger faced by users who encounter downloaders: you never really know what you’re going to get. Since malware writers have continuous access to the URL, they can update the downloaded file with different or more damaging payloads. It thus becomes all the more important to employ a protection suite that cuts off infection at various points of the attack.

In this case, Trend Micro Smart Protection Network already blocks the malicious URLs and detects the file taking advantage of the critical vulnerability. Users are highly encouraged to update their scan engines and to immediately update their software once patches are available from the vendor.

New PDF exploits: “Old wine in a new bottle!”

Thursday June 26, 2008 at 8:30 pm CST
Posted by Yichong Lin

Trackback

We came across some samples and some vendors claims that the these samples were exploiting the new PDF vulnerability CVE-2008-2641.

We took a look at this issue and found that this is not the case, it’s still exploiting the old vulnerability CVE-2007-5659, which is a buffer overflow vulnerability in JavaScript function Collab.collectEmailInfo in Adobe PDF Reader’s own JavaScript Engine.

The JavaScript itself was compressed in the PDF file. After decompressing the content, it showed up an obfuscated JavaScript code. After digging through the obfuscated code, the real exploit was found encrypted in a long string. There is a function which decrypts the string into real exploit code and then pass it to the eval() function.

It’s interesting that the function uses the function code itself (arguments.callee) as part of the key to decrypt the real exploit code, so it won’t work if you simply replace eval() with “alert” or “document.write” to get the real exploit as eval() itself is also part of the key. It’s an interesting way to obfuscate the exploit code to prevent security researchers to reach the real exploit, almost like creating a ’self-checksum’ mechanism.

After we figured out the way to get the real JavaScript exploit code we found that it exploits CVE-2007-5659 reliably with heap spray technology.

Some vendors claim that the exploit works on lower versions but crashes 8.1.2, this is not the case because it’s possible that it might be taking some time for the heap spray to fill the memory. So during that period, we observed that the adobe reader lost response, but it’s not a crash. After a couple minutes, its back to normal, and pop ups a dialog box “Send by Email for review”. So, in short Adobe reader 8.1.2 seems to be immune to this exploit as Adobe already patched this vulnerability.

Internet Explorer 6 Cross-Domain Scripting Vulnerability Posted by Vulnerabilities @ 14:44 GMT | postCount('00001463'); Comments

Microsoft's Internet Explorer 6 has a reported cross-domain scripting vulnerability which could potentially expose user credentials (such as usernames/passwords) and allow cookie hijack sessions.

Based on the results of our most recent poll:

Browser Poll Results

…this won't directly affect 98% of our readership.

But as Mike Clark commented, "I answered Firefox, but I filled out the survey in IE6! This is because I am at work and my boss specifically refuses to allow me to use FF".

So at least one of you has to use IE 6.

As per reports, the vulnerability exploits Internet Explorer 6 installed on Windows XP SP2/SP3. The latest version of Internet Explorer (IE 7) with its improved handling of JavaScript protocol URLs is not vulnerable.

This vulnerability has been reported to Microsoft and the research team has created a proof of concept:

http://raffon.net/research/ms/ie/crossdomain/string.html

If you open the link in IE 6, you'll see that the domain raffon.net has been linked to the cookie of different domain, i.e. Google.com.

It's a PoC and isn't yet known to be in the wild, but it is considered to be moderately critical as many people still use IE 6.

Vulnerability Team post by — Jay

Published: 2008-06-24,
Last Updated: 2008-06-24 22:17:41 UTC
by Jason Lam (Version: 1)
1 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=4621&rss'; digg_title = 'Microsoft SQL Injection Prevention Strategy'; digg_skin='compact'; digg_topic = 'security';

Microsoft released a security advisory today in reaction to the mass SQL injection exploitation on the Internet. Unlike most other Microsoft's security bulletins and advisories, this one isn't about Microsoft products. In the advisory, "These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database." 

Aside from providing links to information on SQL Injection, Microsoft recommends three approaches to help mitigate SQL Injection.

1. Runtime scanning

HP trimmed down a version of the WebInspect scanner to look for SQL injection vulnerabilities on a running website. Please note this scanner is very basic and should be used for a quick inspection only. I like the fact that the scanner has ability to dump table names, helps eliminate false positives.

2. URLScan

Microsoft's basic Web App Firewall solution. It has capabilities to block unwanted requests. This should only be used as a proactive measure or as emergency fix (short term) for SQL injection vulnerabilities.

3. Code Scanning

MS released a nice ASP source code scanning tool to look for SQL injection flaws. It is focused on SQL injection and seems to produce very few false positives which could be a problem with a lot of code scanners.

You may ask, runtime or code? The answer is both if you can do it. For example, if the ASP file calls a store procedure in the database and then the store procedure perform an exec and concatenate strings to run SQL within the database, code scanning will not flag this problem because the ASP code looks fine (only the store procedure is the problem). Conversely, runtime scanning can miss some portions of the site because this specific version of scanner do not follow Javascript and do not submit POST request during spider process.

Kudo to Microsoft for releasing the tools and information to help developers fix their apps. Also appreciate the free scanner from HP.

25 June 2008

Google fingered as major source of Badware

By Robert McMillan, IDG News Service

Google is one of the worst offenders when it comes to hosting according to research from a Google-sponsored site.

Internet consumer advocacy group Stopbadware.org has released data on "badware" websites saying that Google was one of the top five networks responsible for hosting dangerous sites.

The numbers show that China is now a top source of malicious websites - China-based networks hosted more than half of the malicious web sites tracked by the group - but Google's appearance on the list is perhaps more remarkable. Google is a sponsor of Stopbadware.org, and it is the company that provides the raw data that is analysed by the group.

A year ago, Google did not appear on Stopbadware.org's list of the top 10 sources of badware, but recently scammers and online criminals have turned to Google's Blogger service to host malicious or spyware-related web pages, security experts say.

"Because it's free and because it's on a blog and you can post links to whatever you like, people have found ways to take advantage of this and create large numbers of free blogs that have bad links on them and in some cases even bad code," said Maxim Weinstein, manager of Stopbadware.org.

In March, Google was the top badware network tracked by Stopbadware. These latest numbers were compiled at the end of May.

The other four top networks for badware were based in China, led by a China Telecom network with 48,834 infected sites. Google was hosting 4,261 infected sites in May, Stopbadware.org said.

Last year most of the top networks were based in the US, but now Stopbadware.org says that US networks account for just 21 percent of infected sites. "The US. ... was right on the world average" when one factors in the number of Internet users, Weinstein said.

Networks based in western Europe, in contrast, had far fewer badware sites. "European hosts are either being targeted less or are doing a better job of security," he said.

Google did not respond to requests for comment on these numbers, but Weinstein said that the company has become very aggressive in cracking down on badware, which Stopbadware defines as spyware, malware or deceptive adware.

Most malicious Blogspot sites are taken down within the day, he said.

Still, Google has its critics.

"The security community has known about Google's problems for at least a year or two now, and unfortunately Google has not responded with anything other than hand waving," said Robert Hansen, CEO of SecTheory, a web security consultancy.

Google could make it harder to host malicious code on Blogspot, but that would cut down on the number of things that its users could do with the site, Hansen explained. "Google allows full unrestricted JavaScript. MySpace.com takes a lot of precautions to not allow that by contrast ... it's much harder to put malicious JavaScript on MySpace than it is Blogspot."

Can You Check This for Me?
  • date 06-23-2008 12:06 PM
  • author M.K. Low writes:

Recently, during her vacation to visit me, my sister forgot her cell phone and had to use her credit card in a pay phone to call me. Later that day, she tried to use the same credit card to check into her hotel and it was declined. After calling the credit card company, the man on the phone informed her that criminals often test stolen credit cards in pay phones to verify if it is still valid. Credit card companies know this and instantly put a hold on the card when this occurs.

Of course, this doesn't bode well for the criminal. They have checked if the card works and by doing so, it has been flagged and possibly deactivated. What is a criminal to do? What other methods can they use to verify the validity of the card but yet, still be able to buy that limited edition R2D2 DVD projector after the process? In a previous blog, it was observed that some criminals use the stolen credit card to donate a small amount to a major charity. If the transaction was successful, then they know the card is valid.

In the underground economy servers that Symantec monitors, I noticed that criminals are now offering "background check" services for credit cards. Not only are criminals concerned about the validity of the cards they purchase (the often use "fresh" in their ads to indicate that they are still valid), but they are also concerned about the validity of the numbers they are given and that all parts, such as the expiry date and CVV2 number, match up. (The "card verification value" is a three-digit number on the back of credit cards used for not-in-person transactions.) For example, one vendor offered checking services for expiration dates, CVV2 numbers, and dumps (information stored on the magnetic strip). For $10, the vendor will check 1000 CVV2 numbers against the corresponding credit card numbers. Quelle bargain!

Now, verifying a credit card number is pretty simple, since the major credit card companies use the Luhn algorithm for error checking. The Luhn algorithm can detect single-digit errors and transpositions in the card number, and is only used to validate credit card numbers. What about CVV2 and expiration dates?

If you don’t want to pay (or if you don't trust) someone else to check your numbers, you can buy a CVV2 checker online for 50€ ($78 USD). Not only will you be able to check an unlimited number of cards, you get the bonus of being able to generate your own CVV2 numbers. There are also expiration date validation scripts available for download, too. The one I found was free as long as you didn't change any of the comments in the source file. This type of criminal activity just underlines the importance that companies should be moving towards stronger multi-factor authentication and not just relying on "secret" numbers on a plastic card.

Message Edited by SR Blog Moderator on 06-23-2008 12:38 PM

More Posts Next page »