Chris Mosby at myITforum.com

SophosLabs Released Free Tool to Validate Microsoft Shortcut

Share |

Published: 2010-07-26,
Last Updated: 2010-07-26 17:03:58 UTC
by Guy Bruneau (Version: 1)

0 comment(s)

SophosLabs has just released a free tool that provides detection against the Windows shortcut exploit that we published last week here and here. Sophos has indicated it works with any antivirus software and it works with Windows XP/Vista/7 but not 2000. When Windows tries to display an icon with a shortcut, the tool will intercept the request in order to validate it and give back control to the user if not found to be malicious.

SophosLabs has made a video available on what is the exploit and how the tool works here and the tool is available for downloaded here.

Update on .LNK vulnerability

Share |

Published: 2010-07-21,
Last Updated: 2010-07-21 13:58:43 UTC
by Adrien de Beaupre (Version: 1)

0 comment(s)

Microsoft have updated their security advisory 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198 to describe further attack vectors for this vulnerability. The vulnerability can be exploited using .LNK files on removable drives, via WebDav and network shares, using .PIF files as well as .LNK, and documents that can have embedded shortcuts within them. The original discussion on this vulnerability is here isc.sans.edu/diary.html?storyid=9181
The ISC has previously raised the infocon isc.sans.edu/diary.html?storyid=9190 with regards to this issue, and will continue to monitor for any changes. Please let us know via our contact us page or by commenting below if you have any new information on the issue, have been affected by this vulnerability being exploited, or have a copy of malware taking advantage of it.

Cheers,
Adrien de Beaupré
EWA-Canada.com

Keywords: LNK Microsoft Security Advisory Update PIF WebDav

Preempting a Major Issue Due to the LNK Vulnerability - Raising Infocon to Yellow

Share |

Published: 2010-07-19,
Last Updated: 2010-07-19 18:01:06 UTC
by Lenny Zeltser (Version: 1)

2 comment(s)

We decided to raise the Infocon level to Yellow to increase awareness of the recent LNK vulnerability and to help preempt a major issue resulting from its exploitation. Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time. The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far.

Although the original attack used the LNK vulnerability to infect systems from a USB key, the exploit can also launch malicious programs over SMB file shares. In one scenario, attackers that have access to some systems in the enterprise can use the vulnerability to infect other internal systems.

We discussed the LNK vulnerability in a diary a few days ago. That note pointed to Microsoft's advisory that described the bug "Windows Shell Could Allow Remote Code Execution," which affects most versions of Windows operating systems. Microsoft's workarounds for the issue include:

• Disable the displaying of icons for shortcuts. This involves deleting a value from the registry, and is not the easiest thing to do in some enterprise settings. Group Policy-friendly options include the use of  Registry Client-Side Extensions, the regini.exe utility and the creation of a custom .adm file: see Distributing Registry Changes for details.
• Disable the WebClient service. This will break WebDAV and any services that depend on it.

Another approach to mitigate the possible LNK attack involves the use of Didier Stevens' tool Ariad. Note that the tool is beta-software operating in the OS kernel, so it's probably not a good match for enterprise-wide roll-out.

Additional recommendations for making the environment resilient to an attack that exploits the LNK vulnerability include:

• Disable auto-run of USB key contents. This would address one of the exploit vectors. For instructions, see Microsoft KB967715. 
• Lock down SMB shares in the enterprise, limiting who has the ability to write to the shares.

Sadly, enterprises that are likely to ever disable auto-run and lock down SMB file shares, probably have done this already back when the Conficker worm began spreading. Another challenge is that Windows 2000 and Windows XP Service Pack 2 are vulnerable, yet Microsoft no longer provides security patches for these OS. As the result, we believe most environments will be exposed until Microsoft releases a patch. We're raising the Infocon level in the hope that increased vigilance will increase enterprises' ability to detect and respond the attacks that may use the LNK vulnerability.

Do you have recommendations for addressing the LNK issue? Let us know.

-- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You can find him on Twitter.

Info from Microsoft:

Windows 2000

http://support.microsoft.com/ph/1131

Windows XP SP2

http://support.microsoft.com/gp/lifean31

Study of clickjacking vulerabilities on popular sites

Share |

Published: 2010-06-27,
Last Updated: 2010-06-27 19:47:38 UTC
by Manuel Humberto Santander Pelaez (Version: 1)

1 comment(s)

If you are looking for some activity on this sunday afternoon (2:37 PM GMT-5 here in Medellín, Colombia), I strongly suggest you to review the excellent paper published by Gustav Rydstedt, Elie Bursztein, Dan Boneh from Stanford University about clickjacking attacks and how to put in place proper defense against them.

Download the paper here: http://seclab.stanford.edu/websec/framebusting/framebust.pdf

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

Keywords: clickjacking frame busting iframe

1 comment(s)

iPhone Launch Triggers Nefarious Activity

Posted: 24 Jun 2010 10:53 AM

With the official launch of Apple's iPhone 4 today people are queing outside stores to get hold of the latest smart phone.

Spammers do not miss an opportunity to jump on the hype around new product launches - especially in the case of the iPhone 4 when all 600,000 pre-orders have been allocated prior to the official launch date.  Our ThreatSeeker Network has identified iPhone 4 themed spam and Facebook wall posts. Should the users be tempted by the offer of a free iPhone 4, they are presented with affiliate campaigns to harvest email addresses to push further products on the user.

We were seeing Facebook posts that entice users with the possibility of receiving a free iPhone 4 as shown below.

Facebook post:

Upon clicking on the url within the Facebook post, the user then progresses through a series of data collection systems (requests for email address and full postal address) enticing users with offers of a free iPhone 4.

Within our Hosted Email Security service we are also seeing spam campaigns jumping on the iPhone 4 theme.  The example below, of which we have seen over 300,000 instances, leads to a Russian domain pushing a pharmacy website.

A second example offering a free iPhone.

More information on the queues outside stores here.

After a look at the forums, it seems that Symantec’s virus definitions dated June 21, 2010 r2 have identified various components of the awesome SCCM Right Click Tools (which i personally couldn’t survive without) as “Trojan.Gen”

Since this is a generic detection name “for many individual but varied Trojans for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics” this has to be a false positive.  This is just another example of how definition based anti-virus tools are a out dated concept.

Hopefully this grievous error has been rectified in the latest definitions.

Websense® Security Labs™ ThreatSeeker™ Network has detected an interesting correlation between recent rounds of malicious emails and the JavaScript files being used in mass injections.  First, let's think about recent malicious email campaigns.  If you review our recent blog posts about fake virus alerts and world cup-related malicious spam, you will see that the common theme in the two campaigns is that they contain heavily obfuscated scripts in the HTML attachments.  In fact, we've seen from our bot lab that Zeus variants seem to be responsible for these messages, as well as a number of other messages with different subjects and themes that have malicious HTML attachments.  The script from one of the email variants seemed oddly familiar.

Screenshot of one of the attached malicious HTML files:

Our ThreatSeeker™ Network puts us in the unique position of being able to scan emails and malicious Web sites to gain insights like these.  Follow up on another reported mass injection campaign revealed a similarity that shouldn't be ignored between the injected .js files on compromised sites and the email attachments.

Screenshot of a malicious JavaScript file used in the injection attacks:

In fact, after deobfuscating these by hand, we found that the two files use the same algorithm to deobfuscate their hidden contents.  These files fragment an obfuscated script amongst a number of variables in the file and concatenate them to get one long, obfuscated string.  This string then goes through a series of .replace functions to turn it into an escaped string.  Once the string is unescaped, the resulting character codes are obtained and used in an XOR operation.  The resulting string of numbers from this XOR are then decoded as character codes to obtain the final, clear HTML attack code.

Step 1:  Concatenate several variables to obtain one long, obfuscated string.

Step 2:  Decipher the above string with a number of .replace actions to get an escaped string.

Step 3:  Escape the above string to get a listing of seemingly random characters.

Step 4:  Obtain the character codes for each character in the above string.

Step5:  XOR the above character codes to get another string of character codes.

The final step is obtaining the characters that the above codes represent.  Below are the screen shots of the final and clear script code generated from deobufuscating the email attachment and the .js files which are inserted into compromised hosts.

Screenshot of the deobfuscated email attachments:

Screenshot of the deobfuscated JavaScript attack file:

Now, if we follow the HTTP transactions from visiting one of the injected sites, we really begin to see that these appear to be structured as the same attack, possibly coming from the same group.  Following one example, we can see that after the browser does a GET for the injected Java Script file, there are two more GETs for redirection proxies, until finally we land on the attack site at /index.php?pid=7.  From there, we have two other GET requests for /Applet7.html and /Notes7.pdf.  If you review the video we posted from the malicious virus alert emails, you will find that the flow for that attack was the same, except for the redirection proxies.

Screenshot of the HTTP flow after visiting an injected site:

Websense Messaging and Websense Web Security customers are protected against these attacks.

Jarno Niemelä from our lab did a study on malicious Windows binaries that have been signed (with Microsoft Authenticode).

Turns out, we have copies of tens of thousands of malware samples that have been signed.

Malware authors are attempting to use code signing techniques to their advantage.



Details of this surprising find are presented in Jarno's presentation file, which can be downloaded from here (PDF). It was first presented in the CARO 2010 Technical Workshop in May 2010.

When a company is hit with a cross-site scripting (XSS) attack, the natural reaction is to downplay the significance of the incident.

After all, an XSS vulnerability on a site does not mean that the site could be hacked or shut down. A typical XSS demonstration showing a funny dialog box on somebody else's site just emphasizes how harmless such an attack looks.

However, XSS is not harmless. We were just hit by one last night. And we do not want to downplay it.

The vulnerability on f-secure.com was found by security researcher Xylitol. He reported it yesterday evening. Xylitol is well-known for finding XSS vulnerabilities on sites such as army.mil, ibm.com and nasa.gov.

The problem was on a download page for our Mobile Anti-Theft product (anti-theft-download-wizard.html). With some clever tinkering, it was possible to create a web link that would point to our site, but when clicked, it would execute JavaScript controlled by the attacker.


Above: result of accessing www.f-secure.com/en_EMEA/products/mobile/anti-theft-download/anti-theft-download-wizard.html?hidManufacturer=%27%22%3E%3C/title%3E%3Cscript%3Ealert%28/Mikko%20rulz/%29%3C/script%3E before the page was fixed. Screenshot from xssed.net.

We almost got it right. In fact, the script on our page does successfully filter out control characters and other dangerous content. Unfortunately, almost doesn't count. We do the filtering right once, and wrong once.

Apparently we added a feature to the page as an afterthought, and that feature did not go through code review or testing.



The problem has been fixed now. It was limited to our static Mobile Anti-Theft pages, and did not give access to any of our systems. This problem has not been used to do any harmful activities.

In any case, we were burned.

So, what could have been done with this vulnerability? Well, for example, somebody could have sent out a spam campaign, claiming to be from F-Secure, pointing to a link apparently at www.f-secure.com. And when that link would have been clicked, it would have downloaded malware (from some other site) to the user's computer. XSS vulnerabilities can be used to create serious problems. Luckily, in this case nothing bad happened.

Here's the time line of the incident:

  •  Xylitol published an article on the problem at early evening on 17th June
  •  We noticed the article at 20.51 EEST 17th June
  •  We started fixing the problem at 02.15 EEST 18th June
  •  We shut down the Mobile Anti-Theft page temporary for fixing and isolating problem at 02.45 EEST 18th June
  •  Page was republished at 06.05 EEST 18th June

Use of legitimate sites in malicious web attacks

MarissaVicario

June 17th, 2010

Tags: Hosted Mail Security, Security, MessageLabs Intelligence

Posted on behalf of Dan Bleaken, Senior Malware Data Analyst, Symantec Hosted Services

The MessageLabs Hosted Web Security Service (WSS) blocks millions of web requests every day to protect users from content that is either malicious or has been determined to be off limits based on company policy.  In a typical week in 2010 Symantec Hosted Services performs about 107 million blocks (up from 90 million per week in 2009), on 5-10 million distinct URLs, for several thousand clients.  That’s tens of thousands of blocks per client per week on average.  

Of these blocked URLs, 99.96% are policy based blocks the biggest proportion of which is for advertising, mostly pop-up ads or auto-forwarding to ads.  Also, Symantec Hosted Services blocks web sites related to Adult/Sexually Explicit material, Violence, Tasteless & Offensive material, Weapons, Criminal Activity, Gambling and Illegal Drugs to name a few.  Clients have full control over what sites are off limits based on company policy. For example, a company whose business is betting/gambling would allow staff to view gambling sites as part of their job.

The remaining 0.04% of blocks is malicious. While this number may seem small, it could realistically translate to many tens of thousands of blocks in a week.  The malicious blocks are tiny in proportion to all blocks but very important as they are of great risk to the client.  Malicious web sites are not a matter of policy and they do not fall under any particular category.  In theory almost any web site is capable of hosting malware or forwarding to a site that does.  Sites can be set up and hosted by criminals, or legitimate websites can be compromised.  One malicious website, visited by one unsuspecting user, may be all that is required to breach the defences of a business, and cause disruption, loss or damage to reputation.  For example, sensitive systems could be accessed, malware could spread within the company networks, or valuable information could be stolen.

Malicious blocks can be classified as spyware or virus. Of all malicious blocks the split is 4% spyware, 96% virus.  URLs that are blocked as spyware could be pop-up ads, attempts to track browsing behaviour or attempts to change the way a browser operates.  URLs can be blocked as a virus for many different reasons.  The ultimate danger is always the same, either to get some malware onto the target computer or to obtain personal details.

There used to be a time when one had to actually do something slightly silly to become infected whilst browsing the internet.  And computer users were much more likely to be infected browsing sites in the ‘shadier’ corners of the internet, for example sites containing adult/sexual content.  The well behaved and educated surfer was pretty safe.  Today, this is no longer the case.

Internet users are in more danger than ever.  Being careful or aware no longer guarantees your safety.  One of the biggest dangers is the drive-by download – no action required! 

Drive by downloads stealthily look for vulnerabilities in the browser, browser plug-ins or other software on a machine.  They then use these weaknesses to download malware onto your PC.  Often the user will be completely unaware that this has happened.  Keeping your browser, plug-ins, and other software up to date greatly reduces the chances of a drive by attack.
In the last two to three years, worryingly, attackers are increasingly shifting from creating new malicious websites and serving malware on them, to compromising legitimate sites.  In 2009, MessageLabs Intelligence estimated that 80% of malicious web attacks take place via legitimate, compromised sites -- sites the average user visits all the time.  This is a survival tactic: we later demonstrated that the threat is more prolonged on legitimate sites, and the attackers are very likely to be aware of this fact (http://www.messagelabs.co.uk/mlireport/MLI_2009.09_Sept_SHSFINAL_EN.pdf, and http://www.messagelabs.co.uk/mlireport/2009MLIAnnualReport_Final_PrintResolution.pdf).  In 2010 so far, using the same approach, the proportion of malicious domains that are legitimate has increased dramatically compared to last year – it’s now about 90%.

Here is a typical example of how legitimate sites can be used in a malicious web attack.

Imagine a user searches for a topic of interest, e.g. oil spill

The user is taken to an apparent You Tube webpage.  Actually, it’s a fake You Tube page, located on a legitimate compromised website (a business that sells paper shredders).  The user clicks to play the video.

No video plays.  Instead, a window pops up asking the user to ‘install media codec’.

If the user clicks ‘OK’, an executable file is downloaded from yet another legitimate, compromised website (a company selling eco-friendly money saving products).  The file downloaded is called setup_2033.exe.  So far two different compromised legitimate websites have been used in this single attack.

If the user clicks ‘OK’, an executable file is downloaded from yet another legitimate, compromised website (a company selling eco-friendly money saving products).  The file downloaded is called setup_2033.exe.  So far two different compromised legitimate websites have been used in this single attack.

Once setup_2033.exe is downloaded, a window pops up prompting the user to run the executable.  Still believing that setup_2033.exe is an updated media codec, the user clicks ‘Run’.

The executable runs, and connects to a botnet, from which it takes instructions on what to do next.  Another window pops up ‘Attention!  21 infected file detected!’.  This is a rogue AV attack (often also referred to as ‘Fake AV’ or ‘Scareware’).  These attacks are normally designed to simply generate money for the attackers, although sometimes they lock the victims PC and hold them to ransom, or infect the user in some other way as well.

It informs the recipient that their PC is infected (it’s a completely made up message and bears no relation to the state of the victim’s PC).  Upon clicking on this Window e.g. ‘Remove All’ button, the user is taken to a payment page.  The victim believes they are paying to have their PC protected; in actual fact they are paying for absolutely nothing.  The Rogue AV alerts may go away once the victim pays, but some remnant may remain on the PC meaning that pop-ups return at a later date, or the PC is later used for some other nefarious activity.

This is a classic example of multiple legitimate sites being unwitting parts of a malicious attack.  In this case attackers used these sites to store executable files under various directories, either created when they compromised the site or already used by the site for some other purpose.

Legitimate sites affected in this way may be blissfully unaware for days, even weeks that harmful malware is being download from their site.  The attackers could place files on these sites by obtaining the login details of the administrator, either because the password is weak, or by some other method e.g. a phishing attack.