October 2007 - Posts

Idea This 1.4M powerpoint presentation contains 60 slides and was recently referenced in Sunbelt and John Levine's blogs.


  EXCELLENT Powerpoint Presentation - Download Link 

QUOTE: Last weekend, Brandon Enright of UC San Diego gave a informal talk at the Toorcon conference in which he reported on his analysis of the Storm botnet. According to his quite informative slides, Storm has evolved quite a lot over the past year, with both upgrades to the underlying engine and a variety of applications, most of which involve sending spam.

Storm Everyone should avoid e-cards or other "fun links" associated with Halloween.  The Storm Worm has also been adapted to trick folks as noted by Websense.  Clicking on these links could lead to hours of restoration and repair work.

Storm Worm - New Halloween based attacks

Lightning QUOTE: Websense® Security Labs™ has confirmed that the Storm worm has once again switched lure tactics. The worm has now adopted a Halloween twist in its attempts to infect users with malicious code. The first copies of the new emails began going out just before 9:00am PST on Tuesday, October 30th. As with previous Storm emails, various subjects and bodies will be used. Here is one example email:

Example of new Halloween based attacks  

Subject:  Nothing is funnier this Halloween
Body:    Come watch the little skeleton dance.
             (Malicious URL Removed)

This interesting finding could lead to malware possibly being bypassed when processing web pages containing underlying scripts embedded in the HTML.   

A000n0000 0000O000l00d00 0I000E000 00T0r0000i0000c000k

QUOTE: When I found a malicious script riddled with 0×00 bytes, SANS handler Bojan Zdrnja explained to me that this was an old trick. When rendering an HTML page, Internet Explorer will ignore all zero-bytes (bytes with value zero, 0×00). Malware authors use this to obscure their scripts. But this old trick still packs a punch.

When I remove all obscuring zero-bytes from this script, things get better: 25 out of 32 AV products detect it. But what happens when I add more zero-bytes to the script?  Even more AV are fooled! Gradually adding more zero-bytes makes the detection ratio go down.

And at 254 zero-bytes between the individual characters of the script, McAfee VirusScan is the only AV to still detect this obscured script. One byte more (255 zero-bytes), and VirusScan doesn’t detect the script anymore.  No AV on VirusTotal detects this malware obscured with 255 zero-bytes (or more). But for IE, this obscured HTML poses no problem, it still renders the page and executes the script.

Sleep Websense has warned of a new HTML based e-card in the Spanish language.  It is designed to load a Trojan horse that can steal banking account credentials from the infected PC.  More threats could potentially emerge, so please be careful out there.

New Halloween e-card threats

Sample e-card from Websense

QUOTE: Websense® Security Labs™ has discovered a new Trojan Horse information stealer that is being emailed out as a Halloween Greeting Card in Mexico.  To date we have seen four unique sites being spammed out all with the same binary file. They were in Korea, Brazil, and Russia, and were all up and running at the time of this alert. The file is called "hallowenDay.exe". It is also poorly detected by anti-virus signatures.

Assuming users access the site and select to run the file a Trojan Horse is downloaded onto their machine which is designed to steal banking information from users, the file appears to also be packed with a unique custom packer. We expect to see additional email lures and malicious websites on our radar with Halloween night quickly approaching. The email is written in HTML and has a variety of subject lines.

Time This chart denotes that rootkits, botnets, and other advanced attacks have increased two-fold during the past year.  As actual infections took place, it signifies that malware authors are using improved social engineering tactics and technical innovations for malware to slip through defense systems (e.g., massive spam attacks, crafted exploits, etc). 

This finding illustrates that it's more important than ever to stay up-to-date with security protection and to exercise caution in email, IM, and website visitations. 

Trend Micro reports 200% increase in Severe Malware Infections

QUOTE: An infections graph released by the Trend Micro Threat Analytics shows that the growth in severe malware infections grew 200% throughout 2007.

Email Please be very cautious with any PDF files received in EMAIL messages.  If you use Adobe, it's very important to move to the latest version 8.1.1 plus keep AV protection updated.

Malicious PDF files being spammed out in volume

QUOTE: Malicious PDF file (report.pdf or debt.2007.pdf or overdraft.2007.10.26.pdf or so) has been massively spammed through email during last hour and the spam run is still continuing. The PDF is spiced with CVE-2007-5020 exploit that downloads ms32.exe that downloads more componets. At this point it's not clear yet what is the final payload of the malware, because of missing files in the download chain. We are investigating further.

The subjects for the spam messages include:

Your credit report
Your credit points
Your balance report
Personal Financial Statement
Personal Credit Points
Personal Balance Report
Your Credit File
Balance Report

Storm The Storm worm botnet is so well protected that it's central servers and malware authors have remained anonymous.  While it uses fast-flux servers that are ever changing, the Storm worm client can launch a DDoS based attack if researchers try to reverse engineer the code to determine how it works.  

Storm worm strikes back if researchers attempt to discover its origin

Lightning  The Storm worm is fighting back against security researchers that seek to destroy it and has them running scared, Interop New York show attendees heard Tuesday. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says Josh Corman, host-protection architect for IBM/ISS, who led a session on network threats.

A recently discovered capability of Storm is its ability to interrupt applications as they boot up and either shut them down or allow them to appear to boot, but disable them. Users will see that, say, antivirus is turned on, but it isn’t scan for viruses, or as Corman puts it, it is brain-dead. "It’s running, but it’s not doing anything.

Star October is Cyber-Security month and CIO Magazine has published some excellent articles Who's Stealing Your Passwords? Global Hackers Create a New Online Crime Economy http://www.cio.com/article/print/135500 Hacker Economics 2: The Conspiracy of Apathy http://www.cio.com/article/print/135550 Hacker Economics 3: MPACK and the Next Wave of Malware http://www.cio.com/article/print/135551 A Layman's Glossary of Malware Terms http://www.cio.com/article/print/135453 How Gozi's First Second Unfolds http://www.cio.com/article/print/135451 Death by iFrame http://www.cio.com/article/print/135452

Music  The Real Player security patch was issued promptly by the vendor and should be applied expediently.

Real Player - Security Release for critical ActiveX vulnerability

Solution - Apply patch for RealPlayer 10.5 and 11 beta:

When cleaning Storm worm infections, the file names have changed for newer variants and the most up-to-date standalone cleaner should be used.

Storm Worm - Now infects PC with different file names

QUOTE: We all know that Nuwar aka Storm gang has been continuously changing their spam email text, download sites, executables, network traffic patterns etc in their efforts to penetrate through the security defenses at various layers, all throughout this year. I had a chance to briefly look at a ‘fresh’ Nuwar sample this weekend. It is interesting that they have now also changed the names of files Nuwar drops. It now drops noskrnl.exe, noskrnl.sys and noskrnl.config instead of Spooldr.exe, Spooldr.sys, and Spooldr.ini correspondingly. It also tried to actively propagate by coping itself on the floppy drive, which is new.

This site is one of my favorite links for locating malware cleaning facilities:

(see links on left top side -- "Free Protection and Removal Tools")

Users should be not open any untrusted TIFF images using iPhone's Safari web browser and watch for available security patches to be released by Apple. 

iPhone unpatched vulnerability and Exploit

Description: A vulnerability has been reported in Apple iPod touch and Apple iPhone, which potentially can be exploited by malicious people to compromise a vulnerable device. The vulnerability is caused due to an error in the processing of TIFF images and can potentially be exploited to execute arbitrary code when a specially crafted TIFF image is viewed, e.g. in the Safari web browser. The vulnerability is reported in iPod touch version 1.1.1 and iPhone version 1.1.1. Other versions may also be affected

Solution: Do not browse untrusted web sites and do not open untrusted TIFF images.

A new zero day Real Player exploit is reported to be actively circulating which uses an ActiveX control vulnerability. Real player users the ActiveX control to determine functionality and the maliciously crafted version can allow malware to be automatically installed. Users should avoid or be careful with all Real player files until this is fixed. A killbit can be set to deactivate the ActiveX control as noted below.

Real Player - Zero Day Exploit circulating

QUOTE: Attackers are exploiting a zero-day vulnerability in RealPlayer in order to infect Windows machines running Internet Explorer, Symantec Corp. said late Thursday. The security company issued an alert that rated the threat with its highest possible score.  According to a warning issued to customers of its DeepSight threat network, Symantec said an ActiveX control installed by RealNetworks Inc.'s RealPlayer program is flawed. When combined with Microsoft Corp.'s Internet Explorer (IE) browser -- which relies on ActiveX controls to extend its functionality -- the bug can be exploited and malicious code downloaded to any PC that wanders to a specially crafted site.

KILLBIT CAN BE SET: The vulnerability lies in a RealPlayer ActiveX control, and can be mitigated by setting the appropriate kill bit via the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\
ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}

KB Article - How to set Killbit for ActiveX objects

HTML clipboard These email messages should be blocked or deleted if found. The advice is always misleading and folks are better served by researching stock information on legitimate websites.
 Stock spam - New MP3 version will try to talk you into it
 QUOTE:  MP3 Version of Pump-and-Dump Stock SpamPump-and-dump stock spam is a classic example of sophistication and diversity of spam techniques. Recently the pump-and-dump spammers have started using mp3 files as a new method of spreading stock spam. In the latest observations we’ve seen an mp3 file as an attachment in the body of an email message – without any content – and the subject line usually includes “RE:”, “FW:”, or is sometimes just blank. The “From:” address is usually random. Another feature of this new pump-and-dump stock attack is that the mp3 files have random names, such as the following examples:

 The average file size is approximately 63.3 kb, with the garbled stock tip lasting for about 30 seconds. The Audio content sounds something like the below example: “Hello, this is an Investor alert. nnnnn Inc. has announced it is ready to launch its new nnnnn.com Web site. Already a huge success in Canada, we are expecting amazing result in USA. Go read the news and hit on nnnnn that Symbol get it nnnnn Thank you”

 All Firefox users should move to the latest release for improved security.  Most users will be prompted to autoupdate and these security improvements should be completed as soon as possible.

Firefox - Security Release


Mozilla Foundation Security Advisory - Fixed in Firefox
MFSA 2007-36 URIs with invalid %-encoding mishandled by Windows
MFSA 2007-35 XPCNativeWrapper pollution using Script object
MFSA 2007-34 Possible file stealing through sftp protocol
MFSA 2007-33 XUL pages can hide the window titlebar
MFSA 2007-32 File input focus stealing vulnerability
MFSA 2007-31 Browser digest authentication request splitting
MFSA 2007-30 onUnload Tailgating
MFSA 2007-29 Crashes with evidence of memory corruption

Oracle DBAs and system administrators should pilot test and quickly deploy the quarterly security updates as applicable

Related Article
Oracle - Quarterly Release Links

Oracle - October 2007 Security release details

QUOTE: Oracle Corp. will release security updates for its products next week fixing 51 vulnerabilities in its products.  Included in the Critical Patch Update, set to be released Tuesday, will be critical updates for the company's flagship Oracle Database. Twenty-seven database bugs will be fixed, but five of the bugs can be "exploited over a network without the need for a username and password," Oracle said in a note on next week's patches.
More Posts Next page »