June 2006 - Posts

Users should always be careful to avoid processing files or URLs in the Instant Messaging environment.  This new IM threat disguises itself like the new WGA process Microsoft is using to ensure the Windows OS has the proper license control keys.

Cuebot-K IM Worm - Hides as a Windows Genuine Advantage (WGA) Service
http://secunia.com/virus_information/30450/cuebot-k/
http://www.sophos.com/security/analyses/w32cuebotk.html

W32/Cuebot-K is a instant messaging worm and backdoor for the Windows platform. W32/Cuebot-K spreads via AOL Instant Messenger. The file wgavn.exe is registered as a new system driver service named "wgavn", with a display name of "Windows Genuine Advantage Validation Notification" and a startup type of automatic, so that it is started automatically during system startup.

OSX.Leap.A is a new trojan horse that targets the Macintosh OS X and spreads via iChat Instant Messenger program.

OSX.Leap.A - New Mac OSX Trojan Horse
http://secunia.com/virus_information/27059/osxleap-a/
http://secunia.com/virus_information/30445/osx.exploit.launchd/
http://www.sarc.com/avcenter/venc/data/osx.exploit.launchd.html
http://www.theregister.co.uk/2006/02/16/mac_os-x_virus/

OSX.Exploit.Launchd is a Trojan horse that exploits the Apple Mac OS X LaunchD Local Format String Vulnerability (as described in Security Focus BID 18724). It provides root access on the Macintosh OSX version 10.4.6 or earlier.

It's important to stay up-to-date on all software products.  New vulnerabilities were recently discovered for Open Office 2.0 and all users should move to the latest release

New Open Office Vulnerabilities - Security release v2.0.3 available
http://www.incidents.org/diary.php?storyid=1454
http://www.openoffice.org/security/bulletin-20060629.html

Security Bulletin 2006-06-29 -- OpenOffice.org 2.0.3 fixes three security vulnerabilites that have been found through internal security audits. Although there are currently no known exploits, we urge all users of 2.0.x prior to 2.0.2 to upgrade to the new version or install their vendor's patches accordingly. Patches for users of OpenOffice.org 1.1.5 will be available shortly. 

  According to media reports, the laptop was stolen from the home, sold for $100, and had not been booted up beyond the password prompt (as it was password protected under XP or 2000). Thankfully, this appears to be more of a random burglary, than someone looking to conduct indentity theft on a massive scale.

Still, when we put on our security hats, we know that much more could be possible. Let's hope for a good outcome on this   

Stolen Laptop with info on 26 million Veteran's recovered
http://www.gcn.com/online/vol1_no1/41204-1.html


QUOTE: The Veterans Affairs Department said today that law enforcement officials had recovered the stolen laptop containing the personal data of more than 26 million veterans, and that initially it looks as though the data has not been accessed

The FBI said in a statement that a preliminary review of the equipment by the computer forensics team has determined that the database remains intact and has not been accessed since the laptop was stolen

Sophos has declared MEDIUM RISK (3 out of 5 rating) for this new spammed email attack, although other AV vendors have this at low risk currently.

Kukudro-A - MS Word attack spammed in email
http://secunia.com/virus_information/30331/
http://www.sophos.com/security/analyses/wm97kukudroa.html
http://secunia.com/virus_information/30366/w97mkukudro/
http://www.sarc.com/avcenter/venc/data/w97m.kukudro.a.html

Example of spammed message
http://www.sophos.com/images/common/misc/kukudrdoc.gif

SUMMARY: W97M/Kukudro is a macro trojan that arrives as a Zip file attachment, containing a Word document -- which drops and executes a Downloader trojan on the victims computer. . Sophos has seen the Trojan horse spammed out in email messages with the following Subjects: "worth to see", "prices", "Hi", or "Hello". It uses a very old vulnerability in Microsoft Word MS01-034 where the malicious code can be automatically run just by viewing the document that contains it (impacting mostly unpatched Office 2000 users).

RECOMMENDATION: Stay up-to-date on AV protection and avoid all spam or untrusted URLs/attachments in your email

These are rated as a "moderate risk" and proof-of-concept exploits have been developed.

New IE unpatched OuterHTML and HTA vulnerabilities
http://secunia.com/advisories/20825/
http://www.incidents.org/diary.php?storyid=1448
http://www.frsirt.com/english/advisories/2006/2553

1) An error in the handling of redirections can be exploited to access documents served from another web site via the "object.documentElement.outerHTML" property. 

2) An error in the handling of file shares can be exploited to trick a user into executing a malicious HTA application via directory traversal attacks in the filename. Successful exploitation requires some user interaction.

The vulnerabilities have been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.

Solution: 
1) Disable Active Scripting support.
2) Filter Windows file sharing traffic.


ISC Testing Note: Regarding the second vulnerability, what's interesting is that we were able to reproduce this even when using Mozilla FireFox.

Below is an updated list of recommendations, shared in the Sarbanes-Oxley forums ... To me, the cornerstones for success include: Planning, Training, and Commitment ... Wishing all those companies who must adapt these standards, the upmost success icon_smile.gif


SOME GENERAL RECOMMENDATIONS FOR SOX IMPLEMENTATION

1. Set up a Project Plan for meeting SOX compliancy requirements (Research and explore what is needed prior to doing anything). Good planning will pay dividends for establishing this process.

2. Get training right away. The core team and especially the leader of the process should invest a week or so in training. Consider attending a formal seminar away from work where you can focus and interact with other participants. This will create a good foundation for what's required.

3. Perform an inventory of all your IT applications. Identify all of your financial systems and look for any indirect relationships.

4. In conjunction with the inventory, examine the workflow and human factors surrounding financial processing.

5. After the inventory, perform a Risk Management study on all your financial applications (looking at possibilities that someone could either accidently or alter financial records)

6. Look at ways of strengthening the Financial process and implement new controls (e.g., versioning, change management, and security)

7. Evaluate random sampling controls and requirements for your financial applications to setup a testing/sampling program on controls each quarter or month, depending on the needs.

8. Evaluate the SOX 404 standards for best practices associated with IT control improvements. Set up a plan to implement and improve standards. Evaluate the COBIT 4.0 standards for IT controls over financial applications (note that COBIT 3.0 is the minimal acceptance level)

9. Work closely with both internal and external auditors and gain their approvals for the work that will be done.

10. Setup an e-Library (electronic documentation library) to include all your SOX documents, test plans, communications, etc.

11. Make sure you obtain senior management support for the process. It is an important aspect for implementing change. They must also support the additional work, human resources, and costs that will be needed to gain compliancy.

12. After the initial process is implemented, continue to improve the SOX controls and keep up-to-date with changes in business and legal requirements.

The ISC has a good summary today of in-the-wild and POC exploits associated with the 3 areas of risk. These are not prevelent in the wild and staying up-to-date on AV protection will help. Most importantly, avoid all untrusted documents or URLs in email.

http://www.incidents.org/diary.php?storyid=1444

QUOTE: To help clearly identify the issues, exploit code and remedy related to the recently announce Excel vulnerabilities, I offer this humble correlation. This information comes from Microsoft, Mitre, and vigilant readers sending in tips. My thanks go to all.

CVE-2006-3059 aka "Excel Repair Mode"
http://www.microsoft.com/technet/security/advisory/921365.mspx

Exploited by: Mdropper.G, Booli.A, Flux.E, Booli.B

CVE-2006-3086 aka "Long Hyperlink"
http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx

Exploited by: Urxcel.A, and three known public exploit code examples

CVE-2006-3014 aka "Shockwave vulnerability"
Exploited by proof of concept code Flemex.A ... The workaround is a killbit

Security Bulletin Advance Notification

 

FrSIRT noted developments for MS06-025 and revised their status from "Green" to "Yellow" overnight. The MS06-025 exploit impacts W/2000 users but not XP SP2 users. Hopefully, there won't be in-the-wild attacks as they are anticipating with the exploit code publicly released

Everyone should be on the latest security patches and avoid continue to avoid untrusted Excel documents until Microsoft patches these vulnerabilities.

Microsoft Windows Exploits Out - FrSIRT CTLâ„¢ Raised to Level 2
http://www.frsirt.com/english/threats/

Microsoft Windows Routing and Remote Access Code Execution Issues (MS06-025)
http://www.frsirt.com/english/advisories/2006/2323

Quote: Two remote code execution exploits that take advantage of vulnerabilities affecting Windows have been publicly released

The first code targets a critical Windows Remote Access Connection Manager vulnerability (MS06-025) addressed last week. Microsoft Windows 2000 systems are primarily at risk from this exploit.

The second code exploits the recently disclosed Windows / Excel memory corruption (0day) and opens a command shell on port 4444 when a specially crafted link is clicked. Comments

FrSIRT Current Threat Level has been raised to ELEVATED (Level 2/4) ... We should expect to see active exploitation of these vulnerabilities in the wild within a few hours.  Published : 2006.06.22 - 11:12:55 UTC

This new threat uses advanced techniques to hide it's presence on an infected system.

Mailbot.AZ - manipulates NTFS ADS and includes kernel mode root kit
http://www.f-secure.com/weblog/archives/archive-062006.html#00000907

QUOTE:  Many of our readers have probably heard of Alternate Data Streams (ADS) on NTFS. They're not that well documented and there are only a few tools that can actually handle them. Lately we've been looking at variants of the Mailbot family that use hidden streams to hide themselves.

Let's take Mailbot.AZ (aka Rustock.A) as an example. There's only a single component lying on the disk, and that is a kernel-mode driver. It's stored as hidden data stream attached to the system32 folder (yes, folders can have data streams as well)! Saving your data into Alternate Data Streams is usually enough to hide from many tools. However, in this case, the stream is further hidden using rootkit techniques, which makes detection and removal quite challenging. Because Mailbot.AZ is hiding something that's not readily visible, it's very likely that many security products will have a tough time dealing with this one.

We've just released a new version of our BlackLight rootkit scanner (Build 2.2.1041) that can detect current variants of Mailbot.

Mailbot.AZ is a kernel-mode rootkit that modifies the kernel to hide its presence on the compromised system. It contains an encrypted payload that will be executed in the context of  a process named "services.exe". The payload is a Spamtool with backdoor capabilities

Only trained IT professionals testing their own networks should use these tools.  nmap which was purposely excluded and would be on this list as well.  Each tool should be carefully assessed before using them in network penetration tests.  Still it's beneficial to test with the some of the same tools that are used by the hacker community to ensure technical defenses are in place at all points.

http://SecTools.Org/

http://www.incidents.org/diary.php?storyid=1438

 

There's been a rash of new Bagles launched lately and one key variant can download a more potent root kit on the infected PC if the website is operational. F-Secure is reporting one new variant per day, so have the cream cheese ready ...

New Bagle Variants
http://www.f-secure.com/weblog/archives/archive-062006.html#00000905
http://www.sophos.com/pressoffice/news/articles/2006/06/baglekl.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBAGLE%2EFU
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ff@mm.html

Rootserv - uses Kernel Mode Root Kit Techniques
http://www.sarc.com/avcenter/venc/data/trojan.rootserv.html

Trojan.Rootserv is a Trojan horse that uses kernel mode root kit technology to hide processes, files and registry entries. It also ends and prevents from running various security-related processes.

I've been using Opera as one of my complementary browsers for a number of years.  Whilte they enjoy a good security track record, a day after the release, a new proof-of-concept vulnerability has surfaced which can trigger a denial of service attack (i.e., this is a minor security risk where the browser might hang for an extraordinary length of time).  

Opera 9 - New Denial of Service POC vulnerability
http://www.incidents.org/diary.php?storyid=1436

QUOTE: Well, it didn't take long.  Yesterday, Opera 9 came out, today there is a proof of concept for a long href denial of service exploit.  No word on when a patch will be available

Opera Software

http://www.opera.com/index.dml
http://www.opera.com/pressreleases/en/2006/06/20/
http://www.opera.com/download/

QUOTE: Opera Software today released Opera 9, its newest Web browser for PCs. You can download it free in more than 25 languages for Windows, Mac, Linux and other platforms from www.opera.com. Opera 9 enhances the way you access, share and use online content by including innovative widgets - fun, small and useful Web programs - and support for BitTorrentâ„¢, the popular file distribution technology. Even while adding these improvements, Opera 9 maintains the security and speed millions of Opera fans have come to expect.

Secure browsing is still the single most important attribute of any Web browser. Opera has a long track record of keeping you safe while online. By introducing the security bar to prevent scams like phishing and strengthening Opera 9's pop-up blocker to weed out annoying or potentially malicious pop-ups, Opera gives you new options for safe browsing.

  A new vulnerability has surfaced with a proof-of-concept exploit.  So far, there are no documented reports of this being exploited in-the-wild. Users should remain cautious with an untrusted email attachment, just in case this is spammed by email later.  Microsoft is working on patches for Excel as noted in their blog entries.

Microsoft Information
http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx

Microsoft Office Long Link Buffer Overflow Vulnerability
http://secunia.com/advisories/20748/
http://www.frsirt.com/english/advisories/2006/2431

QUOTE: The vulnerability is caused due to a boundary error in hlink.dll within the handling of Hyperlinks in e.g. Excel documents. This can be exploited to cause a stack-based buffer overflow by tricking a user into clicking a specially crafted Hyperlink in a malicious Excel document.  The vulnerability has been confirmed in Microsoft Excel 2003 SP2 (fully updated). Other versions and Office products may also be affected.

More Posts Next page »