Chris Mosby at myITforum.com

Adobe Acrobat Spam Going Strong - More to Come?

Share |

Published: 2010-11-22,
Last Updated: 2010-11-22 16:18:20 UTC
by Lenny Zeltser (Version: 1)

0 comment(s)

We received several reports of spam email messages that advertise a new version of Adobe Acrobat, attempting to entice the recipient into clicking a link to a suspicious website. (Thanks, Steve and Bill.)

Since Adobe announced a new version of Adobe Reader a few days ago, we expect to see an increase in spam proclaiming security advantages of the new version and encouraging people to upgrade. It's likely that the new messages will even highlight the improved security of the new version (Adobe Reader X) as an element of social engineering.

At the moment, Adobe Acrobat/Reader spam is not yet using the Reader X designation, but talks about "Adobe Acrobat 2010":

Subject: Download Your New Adobe PDF Reader For Windows And Mac

INTRODUCING UPGRADED ADOBE ACROBAT 2010

Dear Customers,

Adobe is pleased to announce new version upgrades for Adobe Acrobat 2010.

hxxp://www.adobe -acrobat-solutions.com

Advanced features include:

...

Variations of these messages have been around for a few months, as Adobe confirmed on September 13. The spam that we've seen have used mostly the same text in the body of the email message, but changed email Subject lines and destination URLs:

September:

Subject: Upgrade New Adobe Acrobat 2010 PDF Reader Alternative, hxxp://www.pdf -adobe-download.com

October:

Subject: Adobe Upgrade Notification, hxxp://www.adobe -upgrades.com

Subject: Action Required : Download Your New Adobe Acrobat Reader, hxxp://www.adobe -acrobat-new-download.com

Subject: New Adobe Acrobat PDF Reader Alternative, hxxp://www.official -adobe-software.com

November:

Subject: Action Required : Active Your New Adobe PDF Reader, hxxp://http://www.adobe -pro-software.com

Subject: Action Required : Upgrade Your New Adobe PDF Reader, hxxp://www.adobe -pro-upgrade.com

Subject: Download Your New Adobe PDF Reader For Windows And Mac, hxxp://www.adobe -acrobat-solutions.com

Note that suspicious domains used as part of this campaign tend to include "adobe" as part of its name, along with incorporating hyphens.

The domains that are still active were registered with Regional Network Information Center, JSC dba RU-CENTER and specified ns3.nic.ru, ns4.nic.ru, and ns8.nic.ru as their DNS servers. Contact details for the domain sometimes specified "PDF Reader Solutions" as the registrant, and were probably fake.

The sites advertised as part of the spam campaign attempt to convince the person to provide his or her credit number to obtain PDF reader/writer software using a form that's hosted on secureonline.ru. We haven't checked whether the software is actually malicious, but we're doubtful of its intentions.

Here's what the landing pages linked from spam messages looked like:

Here's what the subsequent pages, which requested user data, looked like:

Consider letting users in your organization know about these Adobe spam activities, so that they don't attempt to download and install software coming from an untrusted source.

-- Lenny Zeltser

Lenny Zeltser leads a security consulting team and teaches how to analyze and combat malware. He is active on Twitter and recently launched a security blog.

DEP, EMET protect against attacks on the latest Internet Explorer vulnerability

Today we released Security Advisory 2458511 notifying customers of limited attacks leveraging an Internet Explorer vulnerability. The beta version of Internet Explorer 9 is not affected while Internet Explorer 6, 7, and 8 are affected. So far the attacks we have seen only target Internet Explorer versions 6 and 7 on Windows XP.  Attacks would not have been successful against Internet Explorer 8. In this post we will explain the vulnerability, describe why Internet Explorer 8 users are at reduced risk, and cover how to protect yourself from future attacks leveraging this vulnerability.

The vulnerability

Internet Explorer incorrectly under-allocates memory to store a certain combination of Cascading Style Sheets (CSS) tags when parsing HTML. This could result in an overwrite of the least significant byte of a vtable pointer. An attacker able to spray memory with a specific pattern could potentially execute code in the context of the process parsing the HTML. The defense against heap spray style attacks is Data Execution Prevention (DEP).

DEP blocks current attacks

The attacks we’ve seen are all blocked by DEP. DEP is enabled by default on IE8 and can be enabled for earlier versions of IE as well. Refer to the advisory for details on how to do this. Because this is a not a typical use-after-free vulnerability, we anticipate exploit writers having a difficult time bypassing DEP. The current techniques for bypassing DEP cannot be directly applied because the memory corruption is a partial vtable pointer overwrite. We anticipate that any exploit that attempts to bypass DEP will be highly unreliable (i.e. causing IE to crash), especially on systems that support Address Space Layout Randomization (ASLR).

How can I add more protection?

As discussed above, this vulnerability is in the processing of a specific combination of Cascading Style Sheets (CSS) tags. In addition to making sure DEP is enabled, the best workaround option is to override the CSS supplied by the website using a user-defined .CSS file for a small subset of the CSS language. This will prevent all versions of Internet Explorer from going down the vulnerable code path and has been found to have a very limited application compatibility risk. The advisory describes the procedure to apply user-defined CSS in the HKEY_CURRENT_USER registry hive.

Staying protected with EMET

Earlier this year, we released version 2.0 of the Enhanced Mitigation Experience Toolkit (EMET). This toolkit helps to prevent software vulnerabilities from being exploited through the use of a number of different security mitigation technologies.

Among other things, EMET enables DEP on a target process. Using EMET on a version of Internet Explorer that does not enable DEP by default will block the attacks we have analyzed. Beyond this, EMET includes several other mitigations such as Mandatory ASLR and EAT Access filtering (EAF) that can help block future attacks.

Please note that if you install EMET, you will also need to configure it to protect a specific application. Instructions on how to do this can be found in the advisory as well as in the user’s guide that is installed with EMET.

Thanks to Fermin J. Serna for his work on the issue as well as on EMET.

-Andrew Roths, Jonathan Ness, and Chengyun Chu, MSRC Engineering

New IE 0-Day used in Targeted Attacks

Things have been pretty rough in the Response world the past few weeks. The number of exploits taking advantage of unknown and unpatched vulnerabilities has been breathtaking.

One such case started few days ago when we received information about a possible exploitation using older versions of Internet Explorer as targets. Hackers had sent emails to a select group of individuals within targeted organizations. Within the email the perpetrators added a link to a specific page hosted on an otherwise legitimate website. The hackers had gotten access to the website account and uploaded content without the owners knowing. Here is what the email looked like:

The link pointed to a page which contained a script looking to see what version of the browser and Operating System the visitor was using. Since the specific exploit page only worked when someone was using Internet Explorer 6 and 7, the script only transferred the visitor to the page hosting the exploit when this condition was met. In other cases the users didn't see anything but a blank website.

Visitors who were served the exploit page didn't realize it, but went on to download and run a piece of malware on their computer without any interaction at all. The vulnerability allowed for any remote program to be executed without the end user's notice. Once infected, the malware set itself to start up with the computer, along with a service named 'NetWare Workstation'. The piece of malware opens a backdoor on the computer and then contacts remote servers. It tries to contact a specific server hosted in Poland for small files named with a .gif extension. These small files are actually encrypted files with commands telling the Trojan what to do next. It was programmed in a manner to be able to download these small, encrypted files from the following folders on the remote server:

• images
• pic
• image
• binary
• news
• index
• picture
• bbs

We were able to get a network capture of the traffic with a bunch of such .gif (named) files that contained commands. Here is a very short snippet of what the attacker did on an compromised computer:

Looking at the flow of commands it is obvious to us that someone is entering these commands manually from a remote computer.

The files being downloaded by the attacker were hosted on yet another hacked website. The owners of this server were also unaware of their computer being involved in hosting of malicious programs.

In fact, when we contacted the owners of the server which housed the original exploit page and malware, they immediately took down the malicious content. Looking at the log files from this exploited server we know that the malware author had targeted more than a few organizations. The files on this server had been accessed by people in lots of organizations in multiple industries across the globe. Very few of them were seen accessing the payload file, which means that most users were using a browser which wasn't vulnerable or targeted.

We informed Microsoft of the vulnerability just as we were able to confirm it, and they were able to confirm our findings about the vulnerability itself. They also confirmed that the vulnerability seems to be limited to IE 6 and 7. Microsoft plans to post an advisory on this subject in the coming hours. Once public, it will be available here. Symantec has detection in place for this IE vulnerability as Downloader. Initial Symantec detection names for the malware served after exploitation were Downloader and Trojan Horse. They have since changed to Backdoor.Pirpi.

I know we normally end such blogs with a little blurb about safe computing. Since you're still reading this article here is one such note to the people who have control of servers facing the Internet—these computers are your responsibility. Make sure you know what is being served off these computers, patch them, install firewalls with appropriate configuration, change passwords regularly, and—most of all—don't allow it to accept connections from the Web unless you know what you're doing.

Hi everyone,

Today we released Security Advisory 2458511 to address a new vulnerability that could impact Internet Explorer users if they visit a website hosting malicious code. As of now, the impact of this vulnerability is extremely limited and we are not aware of any affected customers. The exploit code was discovered on a single website which is no longer hosting the malicious code. When a website is discovered to host malicious software, we work through legal channels to take the site down. These kinds of attempts to exploit systems and the people using technology are the activity of criminals. Microsoft takes this very seriously and where possible, we will take legal action against those responsible.

Internet Explorer 9 Beta users are not affected by this issue and any customers who wish to upgrade their browser to this version can do so freely at www.microsoft.com/ie. Impacted versions include Internet Explorer 6, 7 and 8, although our ongoing investigation confirms that default installations of Internet Explorer 8 are unlikely to be exploited by this issue. This is due to the defense in depth protections offered from Data Execution Prevention (DEP), which is enabled by default in Internet Explorer 8 on all supported Windows platforms. For supported versions of Windows running earlier versions of Internet Explorer, please review this blog post from our Security Research & Defense team describing how to enable DEP.

The Security Advisory also details a workaround that customers can apply that will protect all affected versions of IE from this issue. We are working to put a Microsoft Fix it in place for easy implementation and will update customers as soon as that is ready. Our Security Research & Defense team has also provided a detailed write up on how the workaround protects against the vulnerability.

We have initiated our Software Security Incident Response Process (SSIRP) to manage this issue and are sharing detailed information through the Microsoft Active Protections Program (MAPP). Our 70 global MAPP partners, including leading providers of anti-virus and anti-malware products, provide protections for an estimated one billion customers worldwide. If your protection provider is in our MAPP program, you can contact them concerning the status of providing protections for this issue as it is likely that updated malware signatures in these products will offer further protection. For customers of Microsoft Security Essentials and our Forefront security products, new signatures will be published today offering additional protection. Internet Explorer 8 also includes SmartScreen technology which helps provide protection against many types of socially engineered malware and phishing attacks, and which earlier this year reached the milestone of blocking over 1 billion attempts to download malware. In certain circumstances, SmartScreen may also help to protect customers in this case.

We are working to develop a security update to address this attack against our customers. The issue does not meet the criteria for an out-of-band release. However, we are monitoring the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog.

As always, we encourage Internet users to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at: www.microsoft.com/protect.

Thank you,

Jerry Bryant
Group Manager,
Response Communications
Trustworthy Computing Group

Adobe Shockwave Player "Shockwave Settings" Use-After-Free Vulnerability

Share |

Published: 2010-11-03,
Last Updated: 2010-11-03 15:12:16 UTC
by Kevin Liston (Version: 1)

0 comment(s)

Juha-Matti reports that an odd Shockwave vulnerability has been identified (http://secunia.com/advisories/42112/.) I call it "odd" because it's not the typical "download crafted flash file and it executes code." The victim has to open the Shockwave settings window while having the malicious website open. It's a new hurdle, but I'm not sure that it's insurmountable.

There is currently no CVE or response from Adobe.

Vulnerability in Internet Explorer Could Allow Remote Code Execution (CVE-2010-3962)

Share |

Published: 2010-11-03,
Last Updated: 2010-11-03 15:03:19 UTC
by Kevin Liston (Version: 1)

0 comment(s)

Microsoft has announced a vulnerability in all currently-supported versions of Internet Explorer (6 through 8) that could all the execution of arbitrary code (advisory 2458511.) This would likely be leveraged in a drive-by-exploit scenario. They state that DEP (Data Execution Prevention) and Protected Mode are mitigating factors.

I'm still collecting more details so this will be updated as more details become available.

CVSS Base: pending
Exploit code: non-public, but reported to have attacks in the wild.
Workarounds: available
Patches: unavailable
IDS signatures: pending