December 2008 - Posts

A New spam circulating fake wire transfer statements

Wednesday December 24, 2008 at 9:33 am CST
Posted by Shinsuke Honjo

Trackback

Today a new downloader trojan is being spammed widely. This spam message arrives as a reply to the victim’s query of asking for the wire transfer.

spam message

When users run the file “bank_statement.scr” in the attachment zip file, it downloads the BackDoor-DSG trojan, while in the background it downloads an innocent pdf document from a legit site and opens it for deception. The pdf document, however, is not relevant to the wire transfer.

innocent pdf file

We see that the trojan file is repacked for each message, thus none of them are identical. In addition to that, this time the malware authors are changing resource sections in those pe files such as Icons, and file properties.

For example, we observed following icons:

Icons

Other resources:

File Descrption:

  • Auto-reader Module
  • Reader_Module
  • Adobe Reader HSMC
  • Adodb_SSL_reader

Translation:

  • English
  • Spanish
  • Korean

CompanyName:

  • Adobe
  • ADOBE

These crafted resources, as well as the malicious code, are the result of server-side polymorphism to attempt to evade detections by Anti-Virus software. McAfee Avert Labs detects the current wave of the downloader as BackDoor-DSG.dldr trojan, and dropped files as BackDoor-DSG with DAT 5474 or later.

MS08-067 Worm on the Loose

Published: 2008-12-31,
Last Updated: 2008-12-31 14:26:41 UTC
by David Goldsmith (Version: 1)

0 comment(s)

Symantec has identified W32.Downadup.B as a new worm that is spreading by taking advantage of the RPC vulnerability from MS08-067.

It does various things to install and hide itself on the infected computer.  It removes any System Restore points that the user has set and disables the Windows Update Service.  It looks for ADMIN$ shares on the local network and tries to brute force the share passwords with a builtin dictionary.  At this point in time, the worm's purpose appears to be simply to spread and infect as many computers as possible.  After January 1, 2009, it will try to reach out to a variety of web sites to pull down an updated copy of itself.  You can find examples of the domain names in the Symantec W32.Downadup.B writeup.

The general form of the URL that it generates is: http://[GENERATED DOMAIN NAME].[TOP LEVEL DOMAIN]/search?q=%d so you could configure proxy servers or IDS sensors to start looking for "/search?q=%d" to find systems on your network that may have possibly been compromised by this worm.

David Goldsmith

MD5 SSL Summary

Published: 2008-12-30,
Last Updated: 2008-12-30 21:46:19 UTC
by Johannes Ullrich (Version: 1)

0 comment(s)

I would like to quickly summarize the SSL MD5 issue presented at the CCC congress in Berlin today. Let me start with a quick FAQ:

  1. How bad is it?
    Bad. But we will survive. The problem makes it possible to create "perfect" phishing sites with valid SSL certificates. The protocol impacted the most is probably HTTPS. But other protocols that use SSL may be affected as well.
  2. What can I do? What do I have to do?
    Not much. This is not a "bug" in your browser. The protocol is not "broken". Just the way it is used by some certificate authorities is broken. If you use SSL for purposes like an SSL VPN, you may be able to limit the number of CAs you trust. The more you can limit it, the better.
  3. Is my SSL certificate "affected"
    Maybe. See the vendor bulletins below for more details. It depends on who you got your certificate from. However, even if your certificate uses SHA1, someone could still use a fake MD5 certificate to impersonate your site.
  4. Why switch to SHA1 and not RIPEMD/SHA2...
    Well... SHA1 is universally supported by current SSL libraries. SHA2 is still new and not well supported.
  5. What protocols other then HTTPS are affected
    Everything that uses SSL. Most notably: SSL VPNs, S-MIME. ssh is not affected.

So what is the problem? The problem is that some certificate authorities use MD5 hases to validate certificates they issue. MD5 hashes have been shown to be weak for a while now, and this is just yet another attack using these known weaknesses. These certificate authorities have to change the way they do business (e.g. they have to use SHA1 hashes). Your browser includes a set of trusted certificate authorities. Sadly, some very popular CAs do use MD5s. Disabling these CAs is not recommended or feasible. The attack is still not easy, but very much possible and not just "theoretical". The researchers uses a cluster of 200 Playstation3 systems, and it took them a couple days. So a resonable size botnet would do it probably faster.

Once you have the fake duplicate CA, you could sign certificates at will and a browser would trust them. This can now be used for MiM (Monkey in the Middle) attacks and to impersonate trusted websites.

Basic "best pratices" still apply. This attack is not a "game changer". Most attack will probably still use bad certificates and ask the user to click "ok" to accept the bad certificate.

So short summary: It is bad, but there isn't much you can or need to do right now. Just stay vigilant and read the vendor announcements below for more details:

Vendor Announcements:

Microsoft:
http://www.microsoft.com/technet/security/advisory/961509.mspx
http://blogs.technet.com/msrc/archive/2008/12/30/information-on-microsoft-security-advisory-961509.aspx

Mozilla:
  http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/

(we will add more as we find them)

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: ccc md5 ssl

0 comment(s)

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: December 30, 2008

********************************************************************

Security Advisories Updated or Released Today ==============================================

* Microsoft Security Advisory (961509)

- Title: Research proves feasibility of collision attacks against MD5

- http://www.microsoft.com/technet/security/advisory/961509.mspx

- Revision Note: Advisory published

Mass Injection On John Sands Greeting Card Company Site

Date:12.23.2008

Threat Type: Malicious Web Site / Malicious Code

Websense® Security Labs™ ThreatSeeker™ Network has discovered that the Web site of John Sands Greeting Card Company is infected with a mass JavaScript injection that delivers a malicious payload. Multiple pages on the site has been found to contain the said malicious code.
John Sands is the largest greeting card company in Australasia, helping both Australians and New Zealanders to celebrate with a huge variety of cards and gift wrap items under their brand names such as John Sands, The Ink Group, Momentum Greetings and Creative Stationery. Acquired by American Greetings in 1996, the company was founded in 1837 by John Sands, the son of an English engraver. The company is Australia's second oldest registered company.
In an effort to protect their visitors, Websense Security Labs has contacted John Sands Greeting Card Company and advised them on this incident. Websense ThreatSeeker Network has been tracking how such attacks prevail over such reputed Web sites, targeting their peers and other visitors.
Screenshot of the infected site: 

Screenshot of the infected site source and malicious payloads: 

Websense Messaging and Websense Web Security customers are protected against this attack.

Dec22

Two Credit Unions Phished

by Verna Sagum (Fraud Analyst)

The Trend Micro Content Security Team discovered two phishing URLs just within hours of each other that use legitimate credit unions to trick unknowing users into giving out confidential information.

Here’s a screenshot of a page that spoofs the O Bee Credit Union:


Figure 1. Sample phishing page.

The page is hosted in the URL http://{BLOCKED}e.com/tmpimages/www.obee.com/, which loads a survey. Credentials such as O Bee access IDs, passwords, email addresses, card numbers, and PIN numbers are stolen when these are entered in the survey boxes.

The Quimper Community Federal Credit Union was also attacked by phishers.


Figure 2. Sample phishing page.

The URL http://www.{BLOCKED}w.net/cu/910331605/ loads a spoofed login site that instructs users to enter personal credentials such as account number and password.


Figure 3. Fake login page.

Clicking on the login button directs users to a spoofed confirmation page about filling the form. This page also asks users for account details such as full names, debit card numbers, and PIN numbers.

The Trend Micro Smart Protection Network already blocks these URLs and protects users from the phishing pages.

Dec21

‘Dating Spam’

by Maria Alarcon (Anti-spam Research Engineer)

An odd increase in the number of spam ploys has been noticed amidst the usual threats brought by the upcoming holidays – that are, oddly enough, not even related to this yuletide season.

It is ” dating spam” with one of the most common techniques there are — same contents in plain text inviting the recipient to chat and an email address having the same domain. After further analysis, it was confirmed that this dating spam has been seen around a few days ago, and that the domain used in this spam run was just created the day after it was discovered.

Sample dating spam

Figure 1. Sample dating spam


Another sample

Figure 2. Another sample

Although these spam runs do not appear to be related to any malware activity, this shows that spammers today are not just necessarily jumping into every seasonal angle for their spam runs. Since more and more users are now knowledgeable of their usual tactics, it’s possible they’ve figured it’s time to change their style.

All spam emails are already detected by the Email Services Reputation through the Trend Micro Smart Protection Network.

Fun for the whole family

 

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: December 22, 2008

********************************************************************

Security Advisories Updated or Released Today ==============================================

* Microsoft Security Advisory (961040)

- Title: Vulnerability in SQL Server Could Allow Remote Code Execution

- http://www.microsoft.com/technet/security/advisory/961040.mspx

- Revision Note: Advisory published

All the IE articles, all in one place

Published: 2008-12-19,
Last Updated: 2008-12-19 17:22:03 UTC
by Joel Esler (Version: 1)

0 comment(s)

For those of you interested in reading all the IE documents, links, diary entries and such that we have posted over the past few days (weeks?), please see here:

0-day exploit for Internet Explorer in the wild -- Bojan Zdrnja

MSIE 0-day Spreading via SQL Injection -- Johannes Ullrich

The continuing IE sage -- workarounds -- Jim Clausing

Microsoft announces an out of band patch for IE zero day -- Donald Smith

Internet Explorer 960714 is released -- Donald Smith

IE bug being exploited by Word Documents -- Joel Esler

Happy reading!

-- Joel Esler http://www.joelesler.net

Keywords:

0 comment(s)

IE bug being exploited by Word Documents

Published: 2008-12-19,
Last Updated: 2008-12-19 17:16:45 UTC
by Joel Esler (Version: 1)

0 comment(s)

We've published several articles over the past few days detailing the latest IE flaw.  However, now one of our readers (thanks roseman) writes in with an article posted over on ComputerWorld.

Turns out that this bug is now being exploited through Word documents.  While this is basically a simple evolution of the exploit method, I imagine that this is only the first or second evolution.  There are more to come I am sure.  We don't have any samples of this malware yet, so if you have any, we'd like a few examples.

-- Joel Esler http://www.joelesler.net

BitDefender Antivirus Scanner for Unices PE File Parsing Integer Overflows

Secunia Advisory:
SA33240

Release Date:
2008-12-19

Popularity:
201 views

Critical:

Highly critical

Impact:
System access

Where:
From remote

Solution Status:
Vendor Patch

Software:
BitDefender Antivirus Scanner for Unices 7.x

Subscribe:
Instant alerts on relevant vulnerabilities

Description:
Some vulnerabilities have been reported in BitDefender, which potentially can be exploited by malicious people to compromise a vulnerable system.
The vulnerabilities are caused due to integer overflows when processing certain PE files packed with NeoLite or ASProtect. This can potentially be exploited to execute arbitrary code via specially crafted PE files.
The vulnerabilities are reported in version 7.60825 and prior. Other versions may also be affected.
Solution:
Reportedly fixed via automatic updates since September 24, 2008.
Provided and/or discovered by:
Jonathan Brossard, iViZ Techno Solutions Pvt. Ltd.
Original Advisory:
http://www.ivizsecurity.com/security-advisory-iviz-sr-08012.html

Sophos Anti-Virus Products CAB Archive Processing Vulnerability

Secunia Advisory:
SA33177

Release Date:
2008-12-19

Popularity:
186 views

Critical:

Moderately critical

Impact:
DoS
System access

Where:
From remote

Solution Status:
Vendor Patch

Software:
Sophos Anti-Virus 4.x
Sophos Anti-Virus 5.x
Sophos Anti-Virus 7.x
Sophos Anti-Virus Small Business Edition
Sophos Anti-Virus Small Business Edition 2.x
Sophos MailMonitor for Notes/Domino
Sophos MailMonitor for SMTP
Sophos PureMessage for UNIX 4.x
Sophos PureMessage for UNIX 5.x
Sophos PureMessage Small Business Edition 2.x

Subscribe:
Instant alerts on relevant vulnerabilities

Description:
A vulnerability has been reported in various Sophos Anti-Virus products, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.
The vulnerability is caused due to an unspecified error when processing certain malformed CAB archives. This can be exploited to crash the application and may allow the execution of arbitrary code.
Successful exploitation requires that CAB archive scanning is enabled (disabled by default).
Solution:
Fixed in the Sophos virus engine 2.82.1.
EM Library and Sophos small business customers should receive automatic updates.
Provided and/or discovered by:
Jonathan Brossard, iViZ Techno Solutions Pvt. Ltd.
The vendor also credits Oulu University Secure Programming Group.
Original Advisory:
Sophos:
http://www.sophos.com/support/knowledgebase/article/50611.html
Oulu University Secure Programming Group:
http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
iViZ:
http://www.ivizsecurity.com/security-advisory-iviz-sr-08015.html

Your Computer is Under Investigation
Posted by Response @ 07:03 GMT | Comments (2)


A mildly amusing sample came in today.
The sample itself is a very simple Visual Basic application. When executed, the unlucky recipient is shown this message:
FBI_WARNING
Clicking the "Warning" button will play an alarm sound over the computer's speakers. Clicking "FBI" will close the form.
The sample also launched the default browser and opened the page www.fbi.gov – the legitimate FBI website.
Other than that, it seems to have no malicious intent and may have been a prank.
Seems rather old-fashioned, considering today's more monetized threat landscape.
Response team post by — KM

********************************************************************

Title: Microsoft Security Bulletin Minor Revisions

Issued: December 18, 2008

********************************************************************

Summary

=======

The following bulletins have undergone a minor revision increment.

Please see the appropriate bulletin for more details.

* MS08-078 - Critical

Bulletin Information:

=====================

* MS08-078 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx

- Reason for Revision: V1.1 (December 18, 2008): Added unaffected server core notation for Windows Server 2008 for 32-bit Systems and Windows Server 2008 for x64-based Systems.  Clarified the entry, in Frequently Asked Questions (FAQ) Related to This Security Update, about this out-band update and cumulative security updates for Internet Explorer.  Finally, added an undo method for the workaround, Disable XML Island functionality.

- Originally posted: December 17, 2008

- Updated: December 18, 2008

- Bulletin Severity Rating: Critical

- Version: 1.1

American Express web bug exposes card holders

XSS: Entrenched since November 2008

By Dan Goodin in San Francisco

Posted in Security, 16th December 2008 21:27 GMT

Updated A glaring vulnerability on the American Express website has unnecessarily put visitors at risk for more than two weeks and violates industry regulations governing credit card companies, a security researcher says.

Among other things, the cross-site scripting (XSS) error on americanexpress.com allows attackers to steal users' authentication cookies, which are used to validate American Express customers after they enter their login credentials. Depending on how the website is designed, miscreants could use the cookies to access customer account sections, said Russ McRee of the Holistic Security blog. A URL demonstrating this weakness is here (http://find.americanexpress.com/search?q=%22%3E%3CSCRIPT%3Ealert(document.cookie)%3C%2FSCRIPT%3E).

McRee aired the American Express dirty laundry here (http://holisticinfosec.blogspot.com/2008/12/online-finance-flaw-american-express.html) after spending more than two weeks trying in vain to get someone inside the company to fix the problem. After getting no response from lower level employees, he emailed a director of a department responsible for information security at Amex. None of his emails was answered.

"I believe they have an obligation to respond, even if it's brief and callous," McRee told El Reg. "You don't have to be polite. Just fix it."

American Express proudly proclaims itself (https://www209.americanexpress.com/merchant/singlevoice/dsw/FrontServlet?request_type=dsw&pg_nm=home&merch_van=datasecurity) as a founding member of the PCI Security Standards Council, the group that forges the rules governing the Payment Card Industry. McRee says PCI's Data Security Standards expressly hold that XSS errors are a violation of those rules, so Amex's inaction carries a fair amount of irony.

XSS vulnerabilities are by far the most common class of security flaw affecting websites. They allow attackers to inject their own malicious code and graphics into trusted websites. In the process, they can siphon cookies, passwords, and other input supplied by users or create convincing spoof sites that show the target website' URL in the user's address bar. XSS vulnerabilities are generally quick and easy to fix.

On Monday, the XSSed blog reported (http://www.xssed.com/news/80/New_highly_critical_Facebook_XSS_vulnerabilities_pose_serious_privacy_risks/) three XSS bugs in Facebook, and within hours, they appeared to have been squashed. After sitting on a separate XSS flaw for four months, the social networking site exorcised it last week after The Register reported it here (http://www.theregister.co.uk/2008/12/10/four_month_old_facebook_hole/).

The NoScript (http://noscript.net/) add-on for the Firefox browser does an admirable job fending off XSS bugs. The upcoming version of Internet Explorer 8, which is now in beta, also sports some impressive anti-XSS (http://www.theregister.co.uk/2008/08/20/microsoft_xss_filter/) features.

The Amex XSS vulnerability is the result of a lack of input validation in a get request using the q parameter. In addition to exposing users' cookies, it allows allows attackers an easy way to create counterfeit pages for phishing and to inject malicious code using an iframe. Proofs of concept for those exploits are here (http://find.americanexpress.com/search?q=%22%3E%3Cscript%20src=http://holisticinfosec.org/js/warning.js%3E%3C/script%3E) and here (http://find.americanexpress.com/search?q=%22%3E%3Ciframe%20src=http://www.visa.com%3E).

We emailed Amex representatives and asked them if the company has a procedure for people to report XSS errors and other flaws that compromise their PCI compliance. A spokesman called back to say the company is looking in to McRee's report. We'll be sure to update this story when we get the results. ®

Update

Less than an hour after this story was posted, Amex closed the hole. Fortunately, McRee has documented it in this video (http://holisticinfosec.org/video/online_finance/amex.html). A day after this story was published, Amex spokesman Rob Sherman called to say company web developers began working on a fix shortly after reading about the vulnerability on McRee's blog.

"We take all aspects of our data security very seriously, and we appreciate people bringing to our attention any potential vulnerabilities so we can act on them as quickly as possible," he said.

Security researchers who discover vulnerabilities on Amex's site may report them by contacting a member of the company's PR team, he added. A list of contacts is available here (http://home3.americanexpress.com/corp/pc/media_contacts.asp).

More Posts Next page »