Chris Mosby at myITforum.com

The peaceful worm…. not :(

Monday July 28, 2008 at 10:28 am CST
Posted by Paolo Palumbo

Trackback

When analyzing malware, it is not uncommon to stumble across one that wants to propagate some sort of message (I am sure everybody remembers W32/Voterai worm and its malicious political propaganda ;). Well, the W32/Agnub.worm certainly does not bring any novelty to this category of malware.

It is the kind of message that is infuriating and insulting. In fact, the W32/Agnub.worm claims to push for peace & love, and, after a successful infection, greets the victim at every boot of the machine with a “nice and poetic” text message:

It is rather sad to see this type of a messages from a malware that, among other things, deletes your files. In other words, not only does the victim get the damage, but they also get teased!!

The “best” part, if we can use this expression, can be found by scrolling down to the end of the “peaceful” message:

Maybe it’s better not to damage other people’s computers at all rather than apologizing later for having done it.

Fake Jetblue eTickets
Posted by Patrik @ 21:32 GMT | Comment (1)

The most common way a user gets infected these days is through drive-by downloads and while the prevalence of malicious email attachments definately has gone down we still see them on a dialy basis. Like today when we saw a large spam run sending out fake JetBlue etickets.

The mail contains a ZIP file that contains the file eTicket#1721.exe which we detect as Trojan-Spy:W32/Zbot.QO. The malware itself tries to steal usernames and passwords to online banks. I guess we can call this way of spreading malware old school...

Thursday, July 31, 2008

Storm Worm's Lazy Summer Campaigns

The Storm Worm-ers seem to be lacking their usual creativity in respect to the usual social engineering attacks taking advantage of the momentum we're used to seeing. These days they're not piggybacking on real news items, they're starting to come up with new ones.

Storm's latest "FBI vs Facebook" campaign is an example of very badly executed one, lacking their usual fast-flux, any kind of social engineering common sense,  as well as client side exploits next to centralizing all the participating domains on a single nameserver.

Domains used :
wapdailynews .com
smartnewsradio .com
bestvaluenews .com
toplessnewsradio .com
companynewsnetwork .com
goodnewsgames .com
marketgoodnews .com
fednewsworld .com
toplessdailynews .com
stocklownews .com

DNS servers :
NS.BRPRBGOK6 .COM
NS2.BRPRBGOK6 .COM
NS3.BRPRBGOK6 .COM 
NS4.BRPRBGOK6 .COM
NS5.BRPRBGOK6 .COM
NS6.BRPRBGOK6 .COM

Strangely, the domain has been registered using an email hosted on a known Storm fast-flux node used in the recent 4th of July campaign and the U.S's invasion of Iran :

Administrative Contact:
Lee Chung lee@likethisone1.com
+13205897845 fax:
1743, 34
Los-Angeles CA 321458
us

This Storm Worm sample is also "phoning back home" over HTTP next to the P2P traffic, and trying to obtain the rootkit from the now down, policy-studies.cn /getbackup.php using already known Storm nameservers :

ns2.verynicebank .com
ns3.verynicebank .com
ns.likethisone1 .com
ns2.likethisone1 .com
ns3.lollypopycandy .com
ns4.lollypopycandy .com

Someone's bored, definitely, making it look like it's almost someone else managing a Storm Worm campaign on behalf of them.

Acronis True Image Echo Server FTP AES Encryption Security Bypass

Secunia Advisory:
SA30856

Release Date:
2008-07-31

Critical:

Less critical

Impact:
Exposure of sensitive information

Where:
From remote

Solution Status:
Unpatched

Software:
Acronis True Image Echo Enterprise Server 9.x

What Is Undetectable Malware?

Friday July 25, 2008 at 4:08 pm CST
Posted by Allysa Myers

Trackback

OMG, undetectable Trojans are coming to get us! At least that’s what a story in The Register says, referring to Limbo 2.

Or else we’ve just found further evidence of the “AV software is for catching unknown threats” myth.

Malware authors selling “guaranteed undetected” Trojans is not news; it’s been happening since developing Trojans was first motivated by money. The Trojan authors test their creations against freely available AV scanners, and if it’s undetected at that moment, it qualifies as “undetected.” However, that doesn’t mean that they will always remain detected. Or that another type of security product won’t detect it, such as a firewall or network intrusion prevention system.

One amusing example of malware for sale included an end-user license agreement that promised violators would be reported to AV companies so your botnet could be dismantled.

But I digress.

The point is that “undetectable Trojans” implies that some novel method of storing the malware code on the system is being employed, such that security software (and likewise the operating system) is incapable of seeing it. Limbo 2 does no such thing. It’s a simple PWS-Banker Trojan as far as security software is concerned. I find it disappointing that a security company would describe it otherwise–that smacks of FUD to me.

In other news, this will be my last post for the Avert Labs blog. As of next week, I’ll be the Director of Research for West Coast Labs. Thank you all for reading and commenting on my posts throughout the years. Hearing your opinions has been the most entertaining part of being a blogger!

Jul29

Phishers Spoof ‘The Paypal Blog’

by Verna Sagum (Anti-spam Engineer)

Paypal has launched a blog, known as The Paypal Blog, a forum for Paypal employees who want to share their opinions and insights. It also welcomes feedback, suggestions and questions from customers. Unfortunately, phishers have also taken advantage on the popularity of this blog.

There is a spoofed article with title, Social Networking Comes to Paypal, as shown in Figure 1, that talks about giveaways or “FREE STUFF” for the first 100 customers to sign up on the provided spoofed login page located below the article (see Figure 2). It steals Paypal login user names and passwords of customers. To make the blog more convincing, it directs the users to the legitimate article Shop with Paypal at OfficeMax and American Eagle Outfitters, when users click on the text string full story in hyperlink form.

This new trick of social engineering can trap unknowing users since it also uses a genuine-looking type of phishing URL, which is thepaypaiblog.com. What’s worse is that it also uses the picture and identity of known Paypal employee, a technique that is considered as Digital Forgery. The phishing URL has already been blocked by Web Classify Server (URL Filtering Service).

Figure 1: Spoofed The Paypal Blog site

Tuesday, July 29, 2008

Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings

It used to be a case where a botnet would be used for a single purpose, spamming, phishing, or malware spreading. At a later stage, the steady supply of malware infected allowed botnet masters more opportunities to "sacrifice" the clean IP reputation and engage in several malicious activities simultaneously - today's underground multitasking improving the monetization of what used to be commodity goods and services.

Today, a botnet will not only be sending out phishing emails, automatically SQL inject vulnerable sites across the web, but also, provide fast-flux infrastructure to money mule recruitment services, all of this for the sake of optimizing the efficiency provided by the botnet in general. This optimization makes it possible for a single botnet to be partitioned and access it it sold and resold so many times, that it would be hard to keep track of all the malicious activities it participates in. Cybercrime in between on multiple fronts using a single botnet is only starting to take place as concept.

That's the case with Stormy Wormy, according to IronPort whose "Researchers Link Storm Botnet to Illegal Pharmaceutical Sales" :

"Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy websites. But the relationship between the technology-focused botnet masters and the global supply chain organizations was murky until now," said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow. "Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of (US)$150 million per year."

Murky until now? I can barely see anything around me due to all the smoke coming from the smoking guns of who's what, what's when, and who's done what with who, especially in respect to Storm Worm whose multitasking on different fronts in the first stages of their appearance online made it possible to establish links between several different malware groups and the "upstream hosting providers", until the botnet scaled enough making it harder to keep track of all of their activities.

The Storm Worm-ers themselves aren't sending out pharma spam, the customers to whom they've sold access to parts of Storm Worm are the ones sending the pharma spam. Here's a brief analysis published in May - "Storm Worm Hosting Pharmaceutical Scams". What's in it for the scammers? Income based on a revenue-sharing affiliate program, a pharmacy affiliate program has been around for several years :

"This criminal organization recruits botnet spamming partners to advertise their illegal pharmacy websites, which receive a 40 percent commission on sales orders. The organization offers fulfillment of the pharmaceutical product orders, credit card processing and customer support services"

What's coming out of Storm Worm's botnet isn't necessarily coming from the hardcore Storm Worm-ers whose job today is more of a campaign-rotation related in order to ensure new bots are added, what's coming out of Storm Worm is coming from those using the access they've purchased to a part of the botnet.

Related posts:
Storm Worm Hosting Pharmaceutical Scams
All You Need is Storm Worm's Love
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game

AVG Anti-Virus UPX Processing Denial of Service

Secunia Advisory:
SA31290

Release Date:
2008-07-29

Critical:

Moderately critical

Impact:
DoS

Where:
From remote

Solution Status:
Vendor Patch

Software:
AVG Anti-Virus 8.x

Trend Micro OfficeScan Web-Deployment ObjRemoveCtrl Class Buffer Overflows

Secunia Advisory:
SA31277

Release Date:
2008-07-29

Critical:

Highly critical

Impact:
System access

Where:
From remote

Solution Status:
Unpatched

Software:
Trend Micro OfficeScan Corporate Edition 7.x

Jul28

The ‘BailiWicked’ Problem

by Jovi Umawing (Technical Communications)

Advanced Threats Researcher Paul Ferguson, along with other security researchers, saw it coming. The code that can exploit a flaw in Domain Name System (DNS) servers—discovered and disclosed by Dan Kaminsky early this month—is confirmed to be in the wild.

Ferguson’s initial report of such a code (CNet News has also speculated about this), and the confirmation reported by The Register late last week finally put an end to the one question that troubled the security industry since Kaminsky’s discovery. These also justified the major security threat that most recipients of the news had initially dubbed as “shameless hype.” We now expect people to start taking this seriously.

The Kaminsky DNS-cache vulnerability allows hackers and phishers to redirect DNS queries, which Kaminsky found to be the method used by Netdevilz, a Turkish hacker group, when they hacked into Photobucket last month. And just last week, two exploit codes have been developed by security researchers from Computer Academic Underground (CAU) and the Metasploit Project. Both organizations have also made public these exploit codes via their respective blog entries.

Constant reader, meet the BailiWickeds—DNS BailiWicked Host Attack and DNS BailiWicked Domain Attack: brothers in arms.

CAU’s |)ruid (read as “druid”), who programmed most of the exploit codes, explains in this blog entry how the tandem can successfully use an unpatched DNS server to online threats. The host attack module is responsible for “injecting individual uncached host records into the target nameserver’s cache,” which means that a hacker can use this module to send out a lot of spoofed reply packets back to the querying client (probably a lot faster than the reply from a real DNS server) in hopes of matching the information, such as transaction ID and source port, from the query sent by the client. Note that to the client, the hacker may take the form of a legitimate DNS server since the hacker throws back responses.

The Domain attack module, on the other hand, replaces “a target domain’s nameserver records in a target nameserver’s cache,” which means that a hacker can use this module to overwrite additional information in a reply packet typically sent by a DNS server to a querying client once the source port and transaction ID are determined. Note that, at this phase, hackers can point users to malicious sites via the spoofed information in the reply packet.

Current BailiWicked codes have been fine-tuned to predict the “dead air” between outgoing query packets and incoming reply packets and vice versa. This enables the exploit to determine the number of spoofed replies it can send to the querying client.

We implore our users to check if their DNS are vulnerable to such exploits by using any of the following tools:

• Dan Kaminsky’s Checker (found at right of the page)
• DNSstuff.Com’s Checker
• DNS-OARC.Net’s Checker

And, yes, we could not stress this more: PATCH NOW.

Invoice Spam Takes Flight

Friday July 25, 2008 at 10:05 am CST
Posted by Craig Schmugar

Trackback

Last night we blogged about fake invoice spam carrying malware.  Unsurprisingly those behind the recent attacks continued today with new spam campaigns involving airline ticket invoices.  Messages may appear as follows (other spam campaigns may appear different):

—————————–
From: [name] [airline_name] Airlines
Subject: Your order from {airlines} [number]
   or
Subject: Online order for flight ticket [number]
Body:

Hello,
Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:

Your login: [characters]
Your password: [characters]

Your credit card has been charged for $[number in the $400 range]
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
[name]
[airline]

Attachment: E-ticket_[number].zip (containing an executable, which may have a Word document icon).
—————————–

As with previous campaigns, the executable is a new variant of Spy-Agent.bw.  Once again, Avert Labs reminds readers to practice safe computing, and never to open unexpected email attachments, or follow unexpected URLs; especially from unfamiliar senders.

DNS cache poisoning vulnerability details confirmed

Published: 2008-07-24,
Last Updated: 2008-07-25 06:47:28 UTC
by Kyle Haugsness (Version: 2)

0 comment(s)

A couple of the handlers tuned into the Blackhat "webinar" today.  The topic was Kaminsky's DNS vulnerability.  Here are some quick notes...

Dan Kaminsky confirmed the details about the vulnerability.  I think he was wanting to save the details until Blackhat, but since it got leaked and exploits have shown up in the last 24 hours, there doesn't seem to be much use in delaying any longer.  Dan seemed to confirm that the leaked blog entry and the latest Metasploit module have identified the vulnerability correctly.
In Kaminsky's tests, he was able to poison a nameserver cache in about 5-10 seconds.  This bug allows the attacker to overwrite entries that are already in the cache.
Nameservers that are authoritative only are not vulnerable.  But setting a high TTL for your hosts which you are authoritative won't help vulnerable resolvers from being poisoned.  This attack bypasses the TTL protections on vulnerable resolvers.
DNS client libraries (workstations and servers that resolve to upstream nameservers) need to be patched also.  The attacks still work against single unpatched hosts - but the priority should be your resolving nameservers.
Home firewall NAT devices are also proving to be vulnerable as many don't seem to randomize the source port.
If I heard correctly, Joao Damas from ISC (Internet Systems Consortium, maintainers of BIND) reports that he has seen attacks already in the wild for this vulnerability.

UPDATE

There is a tool from our friends at Onzra that appears able to detect cache poisoning attacks: http://www.onzra.com/CacheAudit-Latest.tgz

"CacheAudit is an open source aplication for monitoring the cache of a Recursive DNS server. It allows providers to detect and respond quickly to Cache Poisoning events."

It's still beta so take it with a grain of salt but it's definitely worth a look.

DNS cache poisoning attacks spotted in the wild

Date:07.25.2008

Threat Type: Malicious Web Site / Malicious Code

This is an update to our previous alert on the DNS cache poisoning attacks.

The previously embargoed details of a critical DNS cache poisoning flaw have been correctly deduced, and are now public. In a webinar held just yesterday, Dan Kaminsky, the security researcher who discovered this flaw, confirmed that the vulnerability has been leaked.

More code to exploit this flaw has surfaced since our previous alert on this topic, and attacks have been spotted in the wild.

Major ISPs, including AT&T, Time Warner, and Bell Canada have yet to respond to this threat, leaving millions of subscribers at risk. Microsoft has issued a formal security advisory; Apple, whose Mac OS X servers are susceptible, have yet to issue a statement.

Websense® Security Labs™ strongly recommend that customers running their own DNS servers patch immediately. Customers who rely on an upstream DNS provider are urged to contact their provider to confirm that this issue has been addressed properly.

References:

http://www.doxpara.com/?p=1185

http://securitylabs.websense.com/content/Alerts/3139.aspx

http://isc.sans.org/diary.html?storyid=4777

http://www.microsoft.com/technet/security/advisory/956187.mspx

http://db.tidbits.com/article/9706

http://www.theregister.co.uk/2008/07/25/isps_slow_to_patch/

http://permalink.gmane.org/gmane.linux.redhat.fedora.general/306278

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447

http://www.kb.cert.org/vuls/id/800113

http://w.on24.com/r.htm?e=114268&s=1&k=638307695FF31ED953EF9EC0DF969C02L

http://www.caughq.org/exploits/CAU-EX-2008-0002.txt

http://milw0rm.com/exploits/6130

http://milw0rm.com/exploits/6123

Jul26

‘Rechnung’ Spam Receipts Being Sent (Again)

by Jovi Umawing (Technical Communications)

Senior Anti-Malware Security Specialist Rainer Link has reported receiving a peculiar email notification. And it masquerades as being sent by PayPal.

Below is a screenshot of a sample spam email:

Alice Decker, Trend Micro Advanced Threats Researcher, has translated the German text:

Good Morning,
Your order Nr. SP1239192 is now executed.
An amount of 6336.09 EURO was debited directly and it will be shown in your Paypal debit entry. You may find attached the details of the invoice.

PayPal (Europe)
S.447; r.l. & Cie, S.C.A.
01-81 Boulevard Royal
L-0342 Luxembourg

Greetings,
CEO: Mia Mayes
Trade register number: R.C.S. Luxembourg B 212 106

Trend Micro detects the attached ZIP file, which masks itself as a file detailing the invoice of the said transaction, as WORM_OTORUN.C. This worm propagates by dropping copies of itself into removable drives and connecting to certain Web sites to download possibly malicious files.

What is remarkable about this attack, said Decker, is that a worm is sent via email (which hasn’t been the norm). It can also be said that the attack is becoming more diverse, since past schemes involved sending via email downloaders that dropped browser hijacker Trojans (TROJ_BZUB variants), whereas more recently we have been getting downloaders of hijackers with rootkit capabilities (like the WNSPOEM malware) and now, worms.

Additionally, the email message body suggests that a new criminal organization outside Europe triggered this attack, added Decker.

Rechnung spam runs have been hitting users since 2006, and has been observed to be making a comeback during the second half of 2007.

Other such attacks in the past:
• Another Yabe Wave
• IKEA “Rechnung” malware shops for new targets
• New WORM_NUWAR.CQ variant, new faked 1&1 bills, new faked “KD Webshop Bestellung”
• Yet Another “Bill” from Ebay

RealNetworks RealPlayer Multiple Vulnerabilities

Secunia Advisory:
SA27620

Release Date:
2008-07-25

Last Update:
2008-07-29

Critical:

Highly critical

Impact:
Exposure of sensitive information
System access

Where:
From remote

Solution Status:
Partial Fix

Software:
RealPlayer 10.x
RealPlayer 11.x
RealPlayer Enterprise 1.x

CVE reference:
CVE-2007-5400 (Secunia mirror)
CVE-2008-1309 (Secunia mirror)
CVE-2008-3064 (Secunia mirror)
CVE-2008-3066 (Secunia mirror)

Jul24

Banker Summons You to Court

by Carolyn Guevarra (Technical Communications)

For the longest time now, Brazilian banking Web sites have been one of the favorite targets of malware criminals for stealing sensitive banking information from users. These spyware Trojans are usually coupled with spam emails with various, and quite clever, social engineering techniques to trick users into divulging such data. From the latest headlines to the sly imitation of legitimate Web sites, these BANKER authors never seem to run out of sneaky tactics for duping the Internet user.

One of the latest variants we’ve seen recently uses spam emails that supposedly came from one of Brazil’s Public Ministry offices. The said email is a fake notice of hearing letter, summoning the recipient to appear in the office of the attorney general for an investigation procedure.

The attached file is a RAR archive, which when opened, leads to the download of the files OUT.JPG and WDFMGR.JPG. Based on the extension names, these files appear to be image files, but in actuality they are malicious executable files, which Trend Micro detects as TSPY_BANKER.GRX. This spyware steals sensitive information when a user accesses PayPal and other online banking Web sites. It does this by recreating the legitimate Web sites with a spoofed login page if a user visits banking sites with the following strings in the title bar:

• BancoBrasil
• Nossa Caixa
• Pay - Microsoft Internet Explorer

Based on analysis, the spoofed login page overlaps the legitimate login area of the legitimate Web site, thus tricking the user into thinking that it is part of the IE window. The spoofed login page is located in a fixed area of the legitimate Web site. It steals information by logging keystrokes entered by the user in the user name and password fields of the spoofed login page. The gathered data is then sent back to the malicious author via email.

TSPY_BANKER.GRX is also able to send out spam messages. But instead of an email like the one above, this time it sends out a fake e-card that contains a link where it downloads other banker spyware, such as TROJ_BANLOAD.EKG. The spam emails may contain any of the following subject lines:

• Lembrei de Você
• É só um simples cartão
• Queria muito que você desse uma Olhadinha.
• Eu mesmo que preparei.

Here’s a sample e-card that it sends out:

To date, data theft reached an all-time high of 342 in the breach meter, growing to 69% in Q2 2008, according to Identity Theft Resource Center (ITRC). Of that number, 80.7% account for electronic data breaches, such as this one. Unless people learn to be more alert and attentive to information theft attacks and unless they learn to properly use security software to safeguard their systems, this number will continue to rise for the rest of 2008.

Jul24

Web Form Spam Alive and Kicking

by Aljerro Gabon (Antispam Engineer)

Spammers have never balked at using Web forms as a way of sending out spam messages–anything to expose their wares. Basically, they will look for a public Web server that allows them to provide feedback or information to a certain company. These Web forms require them to fill up certain fields with information such as names, phone numbers, email addresses, and–wait for it–even spam messages. Even worse, spammers can also send image spam and/or infected files if the Web form contains a field that will allow them to attach such files. If they have finished filling up the form and submitted it to the Web server, recipients of the Web form will now receive the spam.

Strictly speaking, the messages they get are not spam email. What they get are another type of threat/annoyance. Here is a sample Web form:

Figure 1. Web form allowing all sorts of input from site visitors

Here are two sample Web form feedback email that has spam content:

Figure 2. Sample email with spam content sent by the Web form feedback mechanism. Notice the active hyperlinks to spam sites and domains.

Figure 3. Another sample email with spam content

The possible victims here are the employees of the target company, specifically the designated recipients of the Web form feedback. This looks like an automated attack by a bot that scours the Web for possible points of entry. Since the actual sender of email like this is legitimate (the Web form’s feedback mechanism), some anti-spam filters may actually let this email through.

Again, this is a reminder for Web admins to enforce some kind of input sanitization to, at the very least, disallow the use of scripts and HTML tags in Web forms, or to use one of the many secure form-to-email scripts available online. Some require users to decode a CAPTCHA code before being allowed to submit the filled-up form. These proactive measures will save admins both the time and resources needed to sift through these kinds of unsolicited and useless content.

Jul24

Fake Trend Micro Virus Clean Tool Spreads Malware Dirt

by JM Hipolito (Technical Communications)

Trend Micro recently discovered malware posing as the Trend Micro iClean tool being sent through email by Chinese hackers. This is a screenshot of the email message:

Figure 1. Spam email in Chinese looking very much like it came from Trend Micro.

The email message was fashioned to look like an email message sent by Trend Micro, with the file attachment iClean20.EXE.

But be warned: iClean20.EXE is detected by Trend Micro as TROJ_FAKECLEAN.A. TROJ_FAKECLEAN.A drops two files, one detected as BKDR_POISON.GO and the other, the real iClean tool. Dropping the legitimate tool along with the malware must have been done to fool users that the message was indeed from Trend Micro, and that the tool was the only file downloaded into their systems.

BKDR_POISON.GO opens a random port and allows a remote user to execute commands on the affected system.

The Trend Micro iClean tool is an application that combines Rootkit Buster and SICTool. Its main functions include:

• Remove common viruses and Rootkit program
• IE cache folder clean-up
• Temp folder clean-up system
• Collection trend antivirus software virus logs
• Collection of diagnostic information related to malicious code

The real Trend Micro iClean tool is available for download at the Trend Micro Taiwan site:

Figure 2. The real Trend Micro iClean tool at the Trend Micro Taiwan site.

Trend Micro will NEVER send tools or applications through email. Trend Micro advises users to be wary in opening and downloading attachments from unknown users and to download tools or applications from trusted sites only.

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: July 25, 2008

********************************************************************

Security Advisories Updated or Released Today ==============================================

* Microsoft Security Advisory (956187)

- Title: Increased Threat for DNS Spoofing Vulnerability

- http://www.microsoft.com/technet/security/advisory/956187.mspx

- Revision Note: July 25, 2008: Advisory published.

Pay Attention to 3rd-Party Software

Wednesday July 23, 2008 at 9:10 am CST
Posted by Zhu Cheng

Trackback

The need to pay attention to security never goes away. Fortunately, operating system vendors continue to improve their platforms, and they have made great progress in security. Traditional stack or heap overflows have become more difficult to exploit. However, we cannot become complacent because it’s clear that hackers have transferred their attention to third-party software. Some popular applications have become targets for viruses and Trojans. Just recently, many vulnerabilities were found and exploited in several popular programs: Real Player (CVE-2007-5601), Yahoo Messenger (CVE-2007-5017), Adobe Acrobat Reader (CVE-2008-2641), and Flash Player (CVE-2007-0071). All of these were found to have remote code-execution vulnerabilities, and actual exploits can be found on the Internet. So although the majority of users has installed the latest operating-system patches, they are still at risk to be attacked via third-party vulnerabilities.

A few days ago, I witnessed an actual exploit occur at a friend’s home. He was running Microsoft Windows Vista, and the attack was targeted at RealPlayer. His mistake was that he had disabled the User Access Control functionality of Vista because he did not like the alerts. So he didn’t get any warning prompts except when a message box showed that RealPlayer would close before the malicious code ran. I then saw many cmd.exe and other suspicious processes start. Windows Vista has the best security so far in the Windows family; nonetheless, all of this happened.

Watching this attack made me think of enterprise security. Businesses cannot pay attention only to operating system vulnerabilities. They need to pay attention to third-party software as well. Currently securiy in third-party software is no better than that in operating systems. So the best practice I can recommend is to use risk and compliance software to scan and find third-party software that doesn’t match enterprise policy. The final step is to update or delete these applications.

Mozilla releases Thunderbrid 2.0.0.16, fixes security vulnerabilities

Published: 2008-07-24,
Last Updated: 2008-07-24 17:25:33 UTC
by Bojan Zdrnja (Version: 1)

0 comment(s)

Mozilla yesterday released a new version of Thunderbird, 2.0.0.16, which fixes couple of security vulnerabilities, some of them even allowing remote code execution.

Full list of fixed vulnerabilities is available at http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html#thunderbird2.0.0.16

If you are running Thunderbird, make sure that you patched it.

Keywords: mozilla thunderbird

F-Secure Rescue CD 3.00
Posted by Sean @ 15:43 GMT | Comments

Our colleagues from the Linux team blogged about it last month, but it's worth repeating:
The latest version of our Emergency Rescue CD is available.
It's a bootable Linux CD that can scan Windows hard drives (NTFS and FAT) as well attached USB drives.
If the computer has an Internet connection, the virus definition databases are updated automatically. If an Internet connection isn't available, the definition databases can be manually updated using a USB drive.
It's an excellent support tool. It's also one of the best ways to scan for and to remove MBR rootkit infections.
You can download it from here and read more details from the Linux team's post.

Thursday, July 24, 2008

Vulnerabilities in Antivirus Software - Conflict of Interest

Vulnerabilities within security solutions -- antivirus software in this case -- are a natural event, however, the conflict of interests and failure of communication between those finding them and those failing to acknowledge them as vulnerabilities in general, harms the customer. How they get count, and how is their severity measured in a situation where a vulnerability bypassing the scanning method of an antivirus software allowing malware to sneak in, is less important than a remote code execution through the antivirus software, is a good example of short sightedness. Here's a related development regarding a recent study regarding vulnerabilities in antivirus software - "McAfee debunks recent vulnerabilities in AV software research, n.runs restates its position" :

"Several days after blogging about a research conduced by n.runs AG that managed to discover approximately 800 vulnerabilities in antivirus products, McAfee issued a statement basically debunking the number of vulnerabilities found, and providing its own account into the number of vulnerabilities affecting its own products :

“A recent ZDnet blog discusses a large number of vulnerabilities German research team N.Runs says it found in antimalware products from nearly every vendor. The ZDNet posting includes scary graphs to frighten users of security products. We researched the N.Runs claims by analyzing the raw data and found their claims to be somewhat exaggerated. We will discuss our findings (and make available our source data) in the attached document. We have also provided our source data for anyone who wishes to examine it.”

Today, n.runs AG has issued a response to McAfee’s statement, providing even more insights into the vulnerabilities they’ve managed to find, how they found them, and why are the affected antivirus vendors questioning the number of flaws in general."

Consider going through the interview with Thierry Zoller as well.

UPDATE: The folks at ThreatFire know how to appreciate my rhetoric.

Related posts:
Scientifically Predicting Software VulnerabilitiesZero Day Initiative "Upcoming Zero Day Vulnerabilities"
Delaying Yesterday's "0day" Security Vulnerability
Shaping the Market for Security Vulnerabilities Through Exploit Derivatives
Zero Day Vulnerabilities Market Model Gone Wrong
Zero Day Vulnerabilities Auction
The Zero Day Vulnerabilities Cash Bubble