February 2009 - Posts

Downadup—Advanced Crypto Protection – Symantec Security Response Blog

Downadup—Advanced Crypto Protection

02-23-2009 02:02 PM
Elia Florio Elia Florio writes...

Editor’s Note: This is the concluding article in Symantec’s multi-part series covering specific and interesting aspects of W32.Downadup.

The conclusion of my previous blog posed an interesting question to readers: “...seeing as the list of the future domains was publicly disclosed on the Web, why hadn’t any other cyber criminals taken advantage of the predictions?” Antivirus companies and many independent security researchers were able to crack the domain prediction algorithm used by the worm, so it is reasonable to believe that other people were able to achieve the same result, but with different intentions. In fact, predicting what the next domain will be creates the perception that someone can take control over the botnet, and, for example, start pushing a bank Trojan to these millions of machines infected with Downadup. We already know that there’s no honor among thieves, and so it won’t be a surprise if we see future Downadup domains registered by other criminals. There are also credible reports that this is already happening because some of the future domains pointed to well-known IP addresses used by the ASProx gang in the past.

Unfortunately, the takeover is not such a simple job. Registering a domain with the intent of stealing the Downadup botnet is not enough. Nobody, except Downadup’s authors, will be able to push files to the botnet because of some advanced security measures utilized by the gang.

We analyzed the downloading routine of Downadup.B and we found that is secured by asymmetric cryptography. The digital signature and very long crypto keys make this job impossible. The payload downloaded from one of the domains is encrypted with RC4 (using a 64-bytes key) and then digitally signed by the authors using their private key. In fact, the worm binary contains the corresponding public key (4096-bit) and a value that looks like the public exponent. The algorithm looks similar to RSA encryption, or perhaps it’s just one of the asymmetric algorithms available today.

 



 

Figure 1. Public crypto key hardcoded in the worm binary

 

 

At the moment, no download has been observed from Downadup infected machines, so nobody is able to tell you what the payload is, presumed to be downloaded over HTTP at some point in the future by the botnet. So, we can’t tell you today what the unwanted gift will be, but we can tell you what it will look like:

 

 

 

 

 

Figure 2. Code snippet of the header-parsing routine

 

 

 

Looking at the code snippet above, we can say that “package” downloaded by Downadup will have a general header with a size of 12 bytes, followed by multiple instances of encrypted and digitally signed payloads. Each of these payloads will have its own header (20 bytes) and will contain an appended blob of data at the end (512 bytes), which is the unique digital signature of the payload. The following diagram shows the structure of the whole package and that of a single payload.

 

 

 

 

Downadup authors tried to put basic safety checks in place so the code verifies that the received package is bigger than 12 bytes, and also that the size stored in the general header matches the size of data received. There are also checks to avoid reading after the end of the data (ironically, they seem very afraid of having buffer overflows in the code!).

The structures and the fields of the headers are defined below:

GENERAL_HEADER (size = 12 bytes)

00    DW    num_of_entries    ; num of payloads in the package
04    DW    size_of_data        ; size of data without this header
08    DW    (not_used)        ; ?

PAYLOAD_HEADER (size = 20 bytes)

00     DW    dwFileNumber    ; unique identifier for this payload
04     DW    dwUnknownX        ; ?
08     DW    dwExpTime_lo    ; expiration time (low)
0C     DW    dwExpTime_hi    ; expiration time (high)
10     DW    dwLengthOfFile      ; size of encrypted data

The verifier routine runs a loop that parses the header of each payload to locate the end of the encrypted data (dwLengthOfFile) where the Digital Signature is stored. Using the asymmetric algorithm and public exponent/modulus values, the code decrypts the 512-bytes digest and extracts two important things: the real decryption key (64-bytes, used later with RC4 algorithm) and the hash value of the encrypted data (64-bytes). The following diagram shows what the worm expects after asymmetric decryption of the digital signature. 

 

 

 

 

Finally, the worm performs all of the validations that will allow it to verify if the payload is trusted and has been created by the real author, by following these steps:

1.    It verifies that the hash extracted from the signature matches with the hash calculated over the encrypted data (the encrypted message has not been altered);
2.    It runs RC4 decryption over the encrypted data with the 64-bytes key extracted from the signature;
3.    It calculates the hash of the decrypted data after RC4 and verifies that this new hash matches with the decryption key (i.e., the encryption key is the hash of the plaintext message).

The hashing algorithm used by the worm does not look similar to any of the well-known algorithms. It produces a hash value of 64-bytes (512-bits), but it’s not the popular SHA-512. We just know that the hash value of null (=empty file) produced by this custom algorithm is the following sequence:

 

6B 7F 33 82 1A 2C 06 0E CD D8 1A EF DD EA 2F D3 C4 72 02 70 E1 86 54 F4 CB 08 EC E4 9C CB 46 9F
8B EE EE 7C 83 12 06 BD 57 7F 9F 26 30 D9 17 79 79 20 3A 94 89 E4 7E 04 DF 4E 6D EA A0 F8 E0 C0


After all of this analysis, the conclusion is that the Downadup authors have taken extreme measure to protect their job and this again demonstrates the level of professionalism of these criminals. We suppose that these crooks are afraid of just two things right now: the $250K bounty reward offered by Microsoft, and the risk of having an exploitable buffer overflow in their code. In fact, while the crypto protection can’t be easily bypassed, it may be possible that their code has some exploitable overflow condition that can allow some other bad guy to push a malformed package that will DoS or exploit the worm. The code seems to have basic checks against large buffers; but, for example, there could be problems with a buffer smaller than expected or with integer wrap caused by invalid sizes. But, that’s another story.


Note: Big thanks to Eric Chien for his help with this analysis.

 

Posted Friday, February 27, 2009 2:44 PM by cmosby | with no comments
Filed under: , ,

What Have We Learned From Past Virus Infections? – McAfee Avert Labs Blog

What Have We Learned From Past Virus Infections?

Tuesday February 24, 2009 at 9:43 am CST
Posted by Vinoo Thomas


The year 2009 has so far have a been hectic one for anti-virus vendors and IT administrators alike, “thanks” to two prolific malware families: W32/Conficker and W32/Virut. Malware researchers and field engineers have literally burned the midnight oil to ensure networks are protected against these threats.

Some of the organizations that were hit with these infections had the latest Microsoft updates installed but still got infected. During the post-mortem of the outbreaks, one glaring mistake stood out.

Administrators routinely attend to distress calls from users whenever they have an issue with their machines. By habit, the admins tend to log onto the affected workstation using their own accounts—which have domain-administrator privileges. For a moment, let us assume the suspicious user’s workstation was infected with W32/Conficker. What could possibly go wrong from here?

When the W32/Conficker worm infects a machine, it scans the local network and attempts to infect machines using the credentials of the currently logged-on user. If the initial login attempt fails, then the worm attempts a brute-force attack to authenticate, using a hardcoded list of passwords. Because most organizations have enforced complex password policies these days, brute-forcing is ineffective. But the moment the administrator logs onto the affected machine using his or her domain account, W32/Conficker runs using the elevated credentials of a domain administrator. Straight away the worm can infect any host on the domain using these newly acquired administrator credentials. Shown below is a traffic-capture screenshot of this behavior.

W32/Conficker infecting via SMB

Upon copying the worm’s DLL to the System32 folder, W32/Conficker proceeds to create a scheduled job task to execute the worm at a predefined time. In a matter of minutes the entire network, with thousands of machines, gets infected.

It’s pretty much the same story with W32/Virut, a polymorphic entry-point-obscuring virus that spreads by infecting executable and script files. A machine infected with W32/Virut would scan and infect shared drives on the network using the credentials of the currently logged-on user. Because most domain users have limited write access to shared resources on the network, the infection is confined to a subset of machines. But the moment the administrator commits the cardinal sin of logging onto an infected machine, W32/Virut runs with elevated credentials and has write access to every C$ and Admin$ share on the network.

To prevent such an outbreak from happening, it is imperative that administrators refrain from logging onto a suspect machine using their own accounts. Logging on using the workstation’s local administrator account can also have the same effect; most corporate workstations are ghosted from the same image and could have the same local admin account and password.

An alternative is to use remote desktop solutions such as VNC, GoToAssist, or TeamViewer. These three are not tied to domain authentication. Once a suspect machine is identified, it should be isolated from the network for further investigation. Better safe than sorry ;-)

Posted Friday, February 27, 2009 10:50 AM by cmosby | with no comments
Filed under: ,

TinyURL Now Used in IM Phishing – TrendLabs Malware Blog


img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }
Feb25
by Rik Ferguson (Threat Marketing Communications)

At about 11pm GMT last night, 24th Feb, I heard people complaining that they were being sent unsolicited instant messages from their friends over a number of networks including Facebook, Google Chat, and AOL Instant Messenger.

The messages weren’t sent by their friends, rather by cybercriminals who were using compromised accounts in order to phish for login details and more accounts to compromise. Instant messages looked like this:


Figure 1. Sample instant message.

The link was created using the TinyURL service, which shortens complex or difficult to remember URLs. Just recently, however, this said service was used by cybercriminals to hide the real destinations of their links in spammed messages. Now, TinyURLs are being used in IM-based phishing.

The obfuscated URL pointed to a phishing site aimed at harvesting login credentials for Google Chat, Facebook, MySpace, MSN, Yahoo, AIM, and ICQ accounts.


Figure 2. Phishing page.

The compromised accounts would then be used to further IM spamming attacks to harvest yet more accounts, which could then be used for more sinister endeavours.

We advise anybody who feels concerned that they may have exposed their login credentials to change account passwords as soon as possible. We previously explained password policy in this Trend Micro blog post.

Posted Friday, February 27, 2009 10:29 AM by cmosby | with no comments
Filed under: , , ,

Error Check System, Kenny Glenn, and Parking Tickets – F-Secure Weblog

Error Check System, Kenny Glenn, and Parking Tickets Posted by Sean @ 16:55 GMT | postCount('00001612'); Comments (3)

Error Check System: As we pointed out in yesterday's post, the timing of the Facebook "Error Check System" application and the subsequent Google search results pointing to rogue antivirus sites was almost too perfect to be a coincidence.

It's entirely possible that the whole situation was designed to promote XP Antivirus variants such as "Antivirus 360" and "XP Police" (Rogue:W32/XPAntivirus). That's the formula, create something that spawns a search, then be ready to provide results that redirect to malicious sites.

XP-Police dialog

Either that or the bad guys are very quick on their feet and are ruthlessly opportunistic… They're both.

Let's take a look at some other recent examples.

Kenny Glenn: Just over a week ago, on February 15th, an anonymous teenage boy abused a cat called Dusty and posted video on YouTube.

The Dusty video rapidly ignited a vigilante campaign and three hours later the boy was identified as Kenny Glenn from Lawton, Oklahoma. The local Sheriff was called in and Dusty was removed from the boy's home.

But things went further still: Facebook groups were formed calling for Glenn's punishment; Glenn's MySpace page was defaced; the family's personal information was posted online; and the Glenn Oil Company website, owned by Glenn's father, was hacked.

When it occurs, this type of Internet vigilantism moves very quickly and soon takes on a life of its own. That then starts the news cycle and presents an opportunity for abuse.

While following the Dusty story ourselves, we read this post from blog.SpywareGuide.

Rogue vendors attempted to capitalize from the growing interest in the Kenny Glenn meme and searching for Glenn directed to rogue sites. Here's a screenshot of the Google search results for "kenny glenn cat" from last Thursday:

Kenny Glenn Cat

The highlighted freewebs.com result redirected to a site that attempted to push XP Police.

The SpywareGuide blog was posted on Wednesday; our search 24 hours later still yielded rogues.

Testing the XP Police site with a Mac demonstrates just how bogus these scams are:

XP-Police, Mac OS X
Images: 1, 2

Now obviously the bad guys didn't know in advance that Kenny Glenn would abuse poor Dusty. They were just taking advantage of the situation and jumped into action.

But are there situations where rogue affiliates have created opportunity? Yes there are…

Parking Tickets: That's right, Parking tickets in North Dakota.

SANS blogged about it earlier this month.

Some North Dakotans found a yellow ticket on their windscreen reading:

  •  "PARKING VIOLATION This vehicle is in violation of standard parking regulations".

That sounds kind of familiar.

The supposed ticket then instructed the victim to visit a website where the driver could:

  •  "view pictures with information about your parking preferences"

To view the pictures, a toolbar needed to be installed, that then pushed rogues at the victim.

The BBC reported on it here.

Microsoft: Last October, Microsoft and Washington state started suing scareware purveyors. There are also some recent cases in which rogue bank funds were seized. Perhaps that's a good start, but it isn't nearly enough. The real bad guys aren't scared.

How's this for bold?

Many XP Antivirus variants hamper analysis by checking for an Internet connection. Our test networks need be configured to provide the expected reply if we want to automate our analysis.

And what page does the rogue check for?

  •  http://update.microsoft.com/windowsupdate/v6/thanks.aspx

The XP Antivirus gang has been doing this for some time now… seems to us like a slap in Microsoft's face.

We would like to see Microsoft slap them back. Using a hammer.

Posted Friday, February 27, 2009 10:12 AM by cmosby | with no comments
Filed under: , , ,

Excel Exploited – Symantec Security Response Blog

Excel Exploited

02-24-2009 09:58 AM
Patrick Fitzgerald Patrick Fitzgerald writes...

Yesterday, our engineers in Japan noticed the arrival of some unusual submissions from a small number of our customers. All of these submissions contained suspicious Microsoft Office Excel 2007 spreadsheets. Further analysis showed that these files were exploiting a vulnerability in Excel that allowed them to drop and execute a binary onto the file system.

We see this kind of behavior all the time, but as the analysis of the vulnerability progressed it became clear that this vulnerability is one that we had not seen before. It turns out that this vulnerability exists in the old Excel binary .xls format and not the new .xlsx format. Opening the malicious spreadsheet triggers the vulnerability. This causes the shellcode to execute and then drops two files on the system—the malicious binary mentioned earlier and another valid Excel document. The shellcode then executes the dropped file and opens the valid Excel document to mask the fact that Excel has just crashed. This helps to decrease suspicion when the affected spreadsheet is opened.

The people behind this attack use some additional techniques to help evade detection. For example, they use weak encryption on the binary embedded in the spreadsheet. After decrypting the payload you will notice that the MZ header has been obfuscated to evade casual analysis. One of the tricks used switches characters—MZ becomes ZM and PE becomes EP. The following screenshot shows what happens to the ubiquitous “This program cannot be executed in DOS mode.”

 

 

 

 

This is all very basic but can help evade certain types of detection. Our tests have shown that this exploit has been created for and works in Excel 2007, but previous versions of Excel fail to gracefully handle the exception caused by exploitation attempts. As a result of this, it is possible that this issue is exploitable in older versions of Excel.

We have added detection for the malicious spreadsheet files we have seen in the wild, which will be detected as Trojan.Mdropper.AC. The malicious binary dropped by the spreadsheet will be detected as a Trojan horse. Ensure that your definitions are up-to-date to protect yourself from the danger this issue presents.

The motivation behind this is not yet clear. We are currently monitoring this threat and will post more information when it becomes available. We have been working closely with Microsoft since we discovered this issue. Microsoft have confirmed that this is a new vulnerability and more information can be found in their Security Advisory located at http://go.microsoft.com/fwlink/?LinkID=143568.

Posted Friday, February 27, 2009 9:41 AM by cmosby | with no comments
Filed under: , , , , ,

New Excel Trojan Hits the Net – McAfee Avert Labs Blog

New Excel Trojan Hits the Net

Tuesday February 24, 2009 at 10:06 am CST
Posted by Shinsuke Honjo, Geok Meng Ong


– Update Feb 24, 10:15 PDT –
Microsoft has released a security advisory for this issue (CVE-2009-0238):
http://www.microsoft.com/technet/security/advisory/968272.mspx

Many versions of Excel are vulnerable, including 2000, 2002, 2003, 2007, 2004/2008 for Mac, Excel Viewer/Excel Viewer 2003.
 

A Trojan exploiting an unpatched Microsoft Excel vulnerability has been reported from the field. McAfee Avert Labs has confirmed that Microsoft Excel 2007 and 2003 are affected. Other versions may also be impacted.

McAfee DAT files identify known malicious Excel spreadsheet files as Exploit-MSExcel.r Trojan, and dropped files as BackDoor-DUE Trojan in the 5534 DATs.

As with the initial Exploit-PDF.i threat, current attacks are very targeted and limited. When succesfull, it installs a backdoor that attempts to connect a remote site port 80 and waits for commands.

The mitigation for this infection is to block unknown TCP connections. However, one of the best protection methods is to remain vigilant against Excel files from untrusted sources or sent at an unexpected time until a security update is available.

Posted Friday, February 27, 2009 9:29 AM by cmosby | with no comments
Filed under: , , , , , ,

Another Exploit, This Time On MS Excel – TrendLabs Malware Blog

Feb25

Another Exploit, This Time On MS Excel

by Jake Soriano (Technical Communications)

Cybercriminals are actively taking advantage of another vulnerability, this time in Microsoft Office Excel. This is the third threat in less than two weeks that featured exploits. Exploit codes on IE7 and PDF bugs were discovered last week and earlier this week respectively.

Microsoft acknowledges the Excel vulnerability in a recent bulletin. The software giant says that it is now investigating the case.

A malicious binary detected by Trend Micro as TROJ_MDROPPER.XR is found exploiting this said Excel bug in the wild . The Trojan arrives on systems as a specially-crafted Excel file, through spammed messages or via remote malicious websites. Its routines are triggered when it is opened by unknowing users.

TROJ_MDROPPER.XR drops and executes BKDR_AGENT.FAX, which in turn executes at every system startup. The backdoor connects to websites to send and receive information. It also gives cybercriminals almost the same user rights as the infected local user by opening a random port and enabling a remote user to execute the following commands:

  • delete files
  • download files from a specified remote site
  • execute a specified file/program
  • kill process
  • list drives
  • list file in the system
  • open command shell
  • sleep for a specified amount of time
  • upload files to a specified remote site

The Trend Micro Smart Protection Network already prevents TROJ_MDROPPER.XR and BKDR_AGENT.FAX from running in systems. It also provides solutions for the removal of these malware. Malicious websites are also already blocked.

Posted Friday, February 27, 2009 9:22 AM by cmosby | with no comments
Filed under: , , , ,

Adobe Acrobat pdf 0-day exploit, No JavaScript needed! – SANS Internet Storm Center

Adobe Acrobat pdf 0-day exploit, No JavaScript needed!

Published: 2009-02-25,
Last Updated: 2009-02-25 02:12:33 UTC
by Andre L. (Version: 1)

4 comment(s)

So there is a brief blog post linked below that highlights the fact that the new adobe PDF vulnerability can be exploited without the use of JavaScript.  This is obviously really bad news for anyone who is responsible for protecting environments where PDF's are present.  I think what a lot of people will find is just how prevalent JBIG2 streams are in "run of the mill" PDF files that are floating around their systems.  This means that simply looking for JavaScript + JBig streams in PDF files is not going to do you much good moving forward. 

All of the current observed samples are still utilizing JavaScript; this will NOT be the case moving forward!
Let me repeat again. YOU DO NOT NEED JS TO MAKE THIS EXPLOIT WORK. The JavaScript method employed by these attacks is "tried and true" when it comes to creating the right conditions for a reliable exploit.

***I have not been able to verify secunia's claim independently at this point in time. (I would love to be able to verify this)

Secunia article
http://secunia.com/blog/44/
Now on to the important part of this post.
14 Days left before the patch is out.

Posted Friday, February 27, 2009 8:12 AM by cmosby | with no comments
Filed under: , , , , ,

New DOWNAD/CONFICKER Variant Already Detected – TrendLabs Malware Blog


img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }
Feb25
by Macky Cruz (Technical Communications)


There have been some concerns over whether another new Conficker variant (DOWNAD for Trend Micro) has been released or not. Recall that in January, we have witnessed cybercriminals update WORM_DOWNAD.A’s routines to include being able to propagate via more channels to become WORM_DOWNAD.AD. Reports talk of yet more updated functionalities in a more recent Conficker run.

This variant, which we also detect as WORM_DOWNAD.AD, has brought in two new paths for binary validation and execution. Both bypass the use of Internet Rendezvous points which, for the earlier variant, is used by bot masters to make contact with DOWNAD drones for tracking or new payload updates:

  • One path is in an extension to netapi32.dll which checks for URLs in RPC traffic. If valid, the file from the URL is downloaded, and if the file is valid for the malware’s purposes, the file is executed.
  • The other new path is when the malware creates a named pipe which it will use to receive any URL sent by the botmaster, much like a backdoor. The malware reads from the named pipe and, if it does not return an error, passes it to another function which will then download, validate and execute a file.

Fortunately for Trend Micro users, Smart Protection Network has been protecting their computers early on since Trend Micro also detects this malware as WORM_DOWNAD.AD. Infected users should read and follow the instructions at the solution page for this malware here. We also provide a fixtool which can likewise help non-Trend Micro users.

Conficker/DOWNAD entries here:

Posted Friday, February 27, 2009 7:59 AM by cmosby | with no comments
Filed under:

Gmail Downtime Exposes Ad-Rigged Site – TrendLabs Malware Blog

Feb25

Gmail Downtime Exposes Ad-Rigged Site

by JM Hipolito (Technical Communications)

The Gmail downtime experienced today may have caused a nasty ruckus by frustrated users, but unknown to these users is an issue bigger than not being able to access email messages.

In the midst of the commotion brought about by the outage lasting only a few hours, cybercriminals managed to squeeze in an attempt to distribute malicious files to unknowing users.

During the downtime, searches for the string “gmail down” yielded a Google Group page also named Gmail down as the top result. Trend Micro Researcher Loucif Kharouni reports that the said page was found displaying a banner with images related to pornography, which then pointed to a pornographic website. But what’s more dangerous is that links in the said webpage lead to malicious files.


Figure 1. Google Group website set up to distribute malware


Figure 2. Malicious links found on the Gmail down Googe Group webpage

The link Really young good looking teenager-547b4.html redirects to two different URLs. First, the URL hxxp:// {BLOCKED}worldx.com/software/f352d5ac52/10410/1/Setup.exe prompts the download of a file detected as TROJ_PROXY.AEI. Kharouni reported that TROJ_PROXY.AEI drops two files—a BAT file and a DLL file. The BAT file is used to load the DLL file, which in turn modifies the registry entries related to proxy server settings. This causes the results to user queries to be redirected to remote sites mostly related to advertising.


Figure 3. A sample query for Trend Micro


Figure 4. The website displayed when clicking the first result

The second URL, hxxp:// {BLOCKED}cktube.com/new/n/Exclusive+Free+porno/3913744, leads to the download of a malicious file detected as TROJ_AGENT.FAKZ. Our researchers are currently analyzing this file to determine its routines.

On the other hand, the link The Dark Knight torrent.zip leads to the download of the BAT file main_movie_torrent.bat. The said file modifies the attributes of the following files:

  • c:\autoexec.bat
  • c:\boot.ini
  • c:\ntldr
  • c:\windows\win.ini

    It displays a popup message stating “Virus Activated,” then deletes the abovementioned files, which are all critical files related to loading Windows. After doing so, another pop-up message is displayed, this time stating “Computer Over. Virus=Very Yes.” The computer will then shut down after 10 seconds, and will no longer be able to boot into the operating system. This file is now being studied for detection. Please stand by for updates.

    The said Google Group was already deleted, and was reported up for about 25 minutes. Meanwhile, all malicious links are already blocked through the Smart Protection Network (in fact, one of the domains in this incident is already tagged as malicious even prior to today).

    This incident serves proof of how keen cybercriminals’ instincts can get in seeing opportunites to distribute their malicious files.

    • Posted Wednesday, February 25, 2009 4:01 PM by cmosby | with no comments
    Filed under: , , ,

    Xbox Live Losers Resort to Hacking – TrendLabs Malware Blogs

    Feb25

    Xbox Live Losers Resort to Hacking

    by Jake Soriano (Technical Communications)


    Xbox Live users, specifically winning players, are being targeted by hackers. Researchers believe that the attacks are done so other Xbox Live users could get back at the players who beat them in a game.

    A BBC report explains that the tools used in this hacking attack do not target the Xbox Live network but the IP addresses of players hosting games. Hackers first try to find out what a target user’s IP address is, and when successful doing this, they are able to stage attacks commonly done on websites.

    Denial of service is an infamous line of attack where hackers flood sites to make it inaccessible to visitors.

    This attack again presents an opportunity for cybercriminals to offer their services, for certain amounts of money of course. That is, if they were not already involved in the first place. Sniffing for IP addresses is the hard part of this operation. Imagine irate users paying money to get that information so they could get their revenge.

    It is interesting to note that more than a year ago several Xbox Live accounts were hacked, where the goal appeared to be information theft.

    Microsoft, which operates Xbox Live, is already investigating this online threat. The company has also made it clear that malicious activities like this violate the Terms of Use of the gaming and digital media service. Users caught participating in this attack could thus be banned.

    Posted Wednesday, February 25, 2009 1:42 PM by cmosby | with no comments
    Filed under: , ,

    Adobe Flash Vulnerability Posted – F-Secure Weblog

    Adobe Flash Vulnerability Posted by Vulnerabilities @ 12:45 GMT | postCount('00001613'); Comment (1)

    Patch your Flash: There's a vulnerability in multiple versions of Adobe Flash.

    See our report:

      •  Adobe Flash Player remote code execution vulnerability

    Here's a tip — examine the following folder to see what you have installed:

      •  C:\WINDOWS\system32\Macromed\Flash

    You may have multiple files from previous versions just sitting around…

    You don't need much more than these files:

    C:\WINDOWS\system32\Macromed

    Version 10.0.22.87 is the updated version.

    Here's the IE version properties:

    Flash OCX 10.0.22.87

    Here's the Firefox version properties:

    Flash NPSWF 10.0.22.87

    You can download the update from Adobe and our Health Check service is also of assistance.

    Posted Wednesday, February 25, 2009 1:23 PM by cmosby | with no comments
    Filed under: , , , ,

    Adobe flash player patch – SANS Internet Storm Center

    Adobe flash player patch

    Published: 2009-02-25,
    Last Updated: 2009-02-25 02:39:06 UTC
    by Andre L. (Version: 1)

    0 comment(s)

    A few readers wrote in to point out the fact that adobe released a new flash update today.  It looks like this update fixes a few security related issues outlined in APSB09-01 (link below).   Please feel free to write in if you find other write up's on these vulnerabilities.

    Associated CVE numbers and acknowledgments:

    • CVE-2009-0519 - Roee Hay 
    • CVE-2009-0520 - Javier Vicente Vallejo
    • CVE-2009-0114 - Liu Die Yu
    • CVE-2009-0522 - Eduardo Vela
    • CVE-2009-0521 - Josh Bressers

    Adobe APSB09-01

    http://www.adobe.com/support/security/bulletins/apsb09-01.html

    Idefense write up on CVE-2009-0520

    http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=773

    Posted Wednesday, February 25, 2009 1:21 PM by cmosby | with no comments
    Filed under: , , ,

    Targeted link diversion attempts – SANS Internet Storm Center

    Targeted link diversion attempts

    Published: 2009-02-25,
    Last Updated: 2009-02-25 13:36:50 UTC
    by Swa Frantzen (Version: 2)

    1 comment(s)

    It's always hard to convince people of how easy well targeted attacks penetrate trough our defenses. Examples help in educating, but in the case of targeted attacks these aren't so easy to find and report on.

    Imagine you're the webmaster of an unnamed educational institute (no it's not SANS, -unfortunately- as it would mean we would not need to obfuscate parts of the message) and you got this in your inbox this morning:

    From: webmaster[at]umich.edu <webmaster[at]umich.edu>
    To: [webmaster]
    Subject: changing   domain
    Dear webmaster
    of the website http://[your website]/
    We`re writing to you, because our web address http://www.umich.edu/
    will be switched off in a couple of weeks.
    We would be grateful if you could change the link on your site
    [your page with a link to www.umich.edu]
    to our new website http://www[dot]umich-edu[dot]com/
    We wish to thank you for your help.
    Yours faithfully
    Peter Premhuber

    So what's the goal of this, no self-respecting webmaster would fall for this I hear you think. Well... let's look at that target website: aside of an added white border, it looks like it's the real site out there.

    In fact looking at the source code all that is there right now is :

    <html>
    <head>
    </head>
    <body>
    <iframe src="http://www.umich.edu/index.html" width="100%" height="100%" frameborder="0" scrolling="auto"></iframe>
    </body>
    </html>

    A "framed" version of the real site

    What's the goal here:

    To get enough incoming links to a website from authoritative sources so the hacker's site gets relevance in search engines. and well after that, your guess is as good as ours as to what they'll put in that iframe instead or in addition to the real website.

    Looking at the .com domainname: it was registered on "05-feb-2009" and if hosted in Turkey ...

    Building defenses so our people don't fall for targeted attempts like these is hard. It requires a tremendous amount of awareness to catch this on an individual and consistent basis.

    Trying to make sure our websites don't fall prey to this low tech link hijacking isn't easy either as most of it happens well outside our perimeter, the best we can hope for is detection and then react to it.

    Is this new, nah of course not, but it's easy enough to find tracks of these perps if you search for the name they used to sign the message with, you find they tried before to divert links pointing to:

    • http://Newcastle.edu.au/ to http://www[dot]Newcastle-edu[dot]com/ in October 2008
    • http://www.uga.edu/ to http://www[dot]uwa-edu[dot]com in November 2008

    with virtually identical messages.

    So what's on those two older domains today? Well, it seems it's a blog using wordpress as a CMS and using German text, which is interesting as those reporting this to us were form Germany as well [shared with permission]

    I guess they're still waiting to get traffic and payload.

    How well did this diverting of links actually work ?

    • http://www[dot]Newcastle-edu[dot]com/ had 7 incoming links in a Google link search
    • http://www[dot]uwa-edu[dot]com had one incoming link in a Googe link search

    It's hard to tell how high their success rate is based on this, but it's also clearly not zero either. Esp. not if you look at source code like:

    <a href="http://www[dot]newcastle-edu[dot]com">www.newcastle.edu.au</a>
    Posted Wednesday, February 25, 2009 1:20 PM by cmosby | with no comments
    Filed under: , ,

    AutoRun disabling patch released – SANS Internet Storm Center

    AutoRun disabling patch released
    Published: 2009-02-25,
    Last Updated: 2009-02-25 17:38:39 UTC
    by donald smith (Version: 1)
    1 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=5938&rss'; digg_title = 'AutoRun disabling patch released'; digg_skin='compact'; digg_topic = 'security';

    Microsoft released a patch to correct the "disable autorun registry key" enforcement.
    http://support.microsoft.com/kb/967715
    Updates are offered for the following OSes:
    * Microsoft Windows 2000
    * Windows XP Service Pack 2
    * Windows XP Service Pack 3
    * Windows Server 2003 Service Pack 1
    * Windows Server 2003 Service Pack 2

    The US Cert released an announcement stating that "Microsoft Windows does not disable AutoRun properly" back on January 20th.
    http://www.us-cert.gov/cas/techalerts/TA09-020A.html

    "Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft's guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability."

    The Conficker worm spreads via autorun and we have run several diaries about autorun issues.
    Conficker -> http://isc.sans.org/diary.html?storyid=5695
    PictureFrame malware -> http://isc.sans.org/diary.html?storyid=3817
    PictureFrame Malware2 -> http://isc.sans.org/diary.html?storyid=3807

    Keywords: autorun patch
    1 comment(s)
    Posted Wednesday, February 25, 2009 1:18 PM by cmosby | with no comments
    Filed under: , ,
    More Posts Next page »