April 2008 - Posts


The e-Week cartoon above is excellent in illustrating the dangers of using a "good worm" to clean-up perhaps the top botnet infection in the world.  While DV Labs might be able to accomplish this, there are always dangers that the bad guys might be able to manipulate this worm, plus if something were to go wrong with either individual PCs being cleaned there might be unintended consequences, even for a good deed.

A better idea is for DV Labs to work with MSRC and share the Kraken encyption techniques so that it may be included in a future version of MSRT ... And as previously shared, there is no such thing as a good worm Wink 


QUOTE: We have the ability to provide an 'update' through the existing Kraken protocol that can simply remove the Kraken zombie (again see "Owning Kraken" for a video demonstrating this capability). Is it wrong to do so? Although this discussion is similar to that of writing "good worms" that roam the internet patching vulnerable servers, there is a key difference in that a good worm can't be stopped. Once it has been released it is a self spreading uncontrollable entity. In  our specific case however we have the ability to cease at any point. It is simply a one to one relationship.

A new major security attack occurred over the weekend, where over one half million web pages became infected with malware agents.

A major wave of automated SQL Injection attacks are occurring.  These have been designed and coded for the IIS and SQL-Server environments.  There are no new vulnerabilities in these projects, as the attacks are occurring on sites where the best security practices have not been designed into applications (e.g., safety techniques that prevent the injection of malware using a vulnerable SQL statement into the website)  
Due to an increasing number of SQL Injection attacks in-the-wild, web developers need to ensure they are using the best developmental practices.  Users should continue to be cautious in the sites they visit and stay up-to-date on security patches and AV protection.

Huge SQL Injection attacks infect 500,000 pages

QUOTE: There's another round of mass SQL injections going on which has infected hundreds of thousands of websites. Performing a Google search results in over 510,000 modified pages.  We've received some questions on the platform and operating systems affected by this attack. So far we've only seen websites using Microsoft IIS Web Server and Microsoft SQL Server being hit. Do note that this attack doesn't use vulnerabilities in any of those two applications. What makes this attack possible is poorly written ASP and ASPX (.net) code.

IIS Blog - SQL Injection Attacks on IIS Web Servers

QUOTE: Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform.

MSRC Blog - Questions about Web Server Attacks

QUOTE: The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application's database.  To protect against SQL injection attacks the developer of the Web site or application must use industry best practices outlined here.

BEST PRACTICES - How to protect against SQL Injections

-- Learn how SQL injection attacks work.
-- Constrain input to prevent SQL injection.
-- Use type safe SQL command parameters to prevent SQL injection.
-- Use a least privileged account to connect to the database.
-- Learn additional countermeasures to further reduce risk.

What are SQL Injection attacks?

QUOTE: SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

protect.gif The most recent Government Computer newsletter is warning of a new well-designed IRS phishing scam. This attack appears to related to the upcoming IRS rebates that are part of the 2008 Government Stimulus Package. While the email looks official and the social engineering is well done, it is important to recognize that the IRS and banks do not use email as a method of contacting individuals. They usually will call or conduct official business by mail only. Please avoid these attacks, as entering your bank account information into the realistic but false website could mean real losses of money from these criminals. It could also take months to clean up activity after an individuals credit or bank account information has been compromised.

Phishing scam uses IRS rebate line to reel in victims

QUOTE: The tax filing season is past, the economic stimulus rebate season is upon us, and the phishers are changing their bait. The lure this time is the $600 rebate ($1,200 per household) that the Internal Revenue Service will begin sending to taxpayers in May and a supposed opportunity to speed up the process. E-mails purporting to be from the IRS are arriving in inboxes with instructions to recipients that if they visit the linked Web site and provide bank account and routing numbers their rebate can be deposited directly to the account more quickly. To add an element of urgency, the message includes a deadline — April 24 — for providing information, but that is likely to change.

Right on cue we are starting to see phishing scams with an economic stimulus payment flavor. As we discussed in one of the IRS phishing scam blog entries we predicted that as the economic stimulus payment distribution got closer (currently scheduled to begin May 2nd based on the last two digits of your Social Security Number) we would start to see more scams around these payments. We are starting to see some of the first iterations of those scams today.


TO: ***************
FROM: service@irs.gov
SUBJECT: 2008 Economic Stimulus Refund.

Over 130 million Americans will receive refunds as
part of President Bush program to jumpstart the economy.

Our records indicate that you are qualified to receive the
2008 Economic Stimulus Refund.

The fastest and easiest way to receive your refund is by
direct deposit to your checking/savings account.

Please click on the link and fill out the form and submit
before April 24th, 2008 to ensure that your refund will be
processed as soon as possible.

Submitting your form on April 24th, 2008 or later means that
your refund will be delayed due to the volume of requests we
anticipate for the Economic Stimulus Refund.

Idea The IT Security website features a good categorized list of free security utilities. Some of these a trial versions, limited versions of the full product, or web based facilities. Even folks on a very tight budget can protect their systems well with many of these free tools.
 IT Security website - 103 Free Security Utilities featured
 QUOTE: Competition drives prices down, regardless of the industry. With a crowded field of vendors jockeying to be the trusted source of computer security for your home and office, prices for many of the essential elements of your security system have reached zero. Free downloads, free trials, free scans and freeware is everywhere. If you’re willing to go without premium features like phone support, you can have a simple version of powerful software that large companies pay big bucks for.

Hackers use XSS flaw to attack Barack Obama's web site

XSS scripting flaws are a common weakness in many websites.  From a web development standpoint, secure designs and programming techiques are essential.  It is always important to keep IE and all other browsers on the latest version and security patches.  This is especially important, as phishing attacks are increasing and may even appear geniune at times.
Hackers use XSS flaw to attack Barack Obama's web site

QUOTE: A security weakness in Barack Obama's website has been exploited to redirect visitors to Hillary Clinton's website. Visitors who viewed the Community Blogs section of the site were instead presented with Clinton's website as a result of a cross-site scripting vulnerability.

The Obama hack used a cross-site scripting flaw in the site to redirect users from Obama's Community Blogs section to HillaryClinton.com. XSS bugs are getting far more attention lately than they had been in the past, perhaps because they are so widespread. And since the answer to them is good programming practices rather than running some security product, they can be difficult to snuff out.

Good overview of XSS redirect issues

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.

Lightning The storm worm attacks continue to change change as they use malicious blog or U-tube like streaming video links in order to trick users.  Everyone should be as cautious with URLs found in an email attachment as they are with attachments.  Clicking on these links can lead to possible infections, as the malware agent is advanced (e.g., root kit) and highly polymorphic (i.e., MD5 based signatures change almost hourly).   

Storm Storm Worm - Blog Attacks

Storm has once again turned its eye to the blogging community, specifically the Blogspot.com community. Several blogger sites with random or very quirky names have been sporting a love theme, Storm style. These sites appear to have been created solely for Storm's purposes and no legitimate blogger site has of yet been reported as infected.

Visiting these sites will lead you to another page, while keeping the Blogger menu at the top. Clicking the site's image downloads a file called love.exe while clicking the link will provide withlove.exe.

Storm Storm Worm - Codec based Video Attacks

QUOTE: Looks like the Storm gang (or at least the Russian/Ukrainian criminals behind it) is expanding its business.  Is it because of the “arrival” of Kraken, which, following the footsteps of MayDay and Mega-D, is challenging the said gang for the “Biggest Zombie Network” title? Whatever the case, only days after re-professing its love to unsuspecting users via blog pages, the Storm malware is at it again, this time posing as a video codec.

TrendLabs researchers discovered several sites that offer, what looks like, a YouTube-look-alike streaming video. The infection vector and messaging is actually still the same, that is, users are most likely to access this site via links on specially crafted, love-themed blogs. What is interesting this time is that on the said site, users are required to download the so-called Storm Codec in order to view the said video. Yes, you read that right: the codec is called Storm Codec. Below is a screenshot:

If the social engineering tactic of using video codecs is familiar, it’s because it is — ZLOB Trojans became infamous because of it, after all (see some detailed analysis here). Thus, the Storm gang’s attempt to venture into the said codec “business” has our researchers speculating whether they are now in cahoots with the ZLOB authors, or that they are trying to take over ZLOB’s niche, much like they did with STRATION when the two first started battling it out late 2006. Or maybe the gang is just trying to reaffirm to their competition that they’re still the one to beat.

Adobe Photoshop - Unpatched BMP image vulnerability

Adobe is working to promptly correct this security issue.  Users should be careful in loading image files into the Photoshop environment (esp. from email, USB devices, or any other untrusted sources)

Adobe Products BMP Handling Buffer Overflow Vulnerability 

QUOTE: Successful exploitation may allow execution of arbitrary code via a specially crafted BMP file. Reportedly, the vulnerability can also be exploited when a malicious storage device (e.g. USB drives, cameras) is being attached to a vulnerable computer. The vulnerability is reported in Adobe Photoshop Album Starter Edition 3.2 and Adobe After Effects CS3. Other versions may also be affected.

Solution: Do not process untrusted BMP files using the affected applications. Do not connect untrusted storage devices to the local computer.

Original Advisory - Adobe:

The latest versions of the Internet Information Services (IIS) facilities have enjoyed an excellent track record in the area security.  Recently, a new vulnerability was discovered that could allow user privileges to the manipulated and escalated in an unauthorized manner.
Additional resources are noted below, including a highly technical overview on Token Kidnapping.  Thankfully, the details related to this exposure have been confidentially shared with Microsoft in a responsible manner.  Currently, there are no known exploits related to this vulnerability circulating in the wild. 

Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege


QUOTE: Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability.

Currently, Microsoft is not aware of any attacks attempting to exploit the potential vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

IIS Vulnerability Documented by Microsoft - Includes Workarounds

Token Kidnapping and Impersonation - by Cesar Argeniss

Idea I enjoyed this article and agree in principle with most of the recommendations. While leaders must manage by walking around and inspecting work, they should also allow the team members some space as professionals to do their job well.

Folks who are constantly watched and critiqued on every move they make will become nervous and less effective in their work. They may withdraw ideas and participation from the manager and team, that can help make essential differences on the project.

Article: If you micromanage, no one wins

QUOTE: So do you want to break the micromanaging habit? The Dallas Morning News offers this list of tips to avoid micromanaging:

Part 1 - Methods to change leadership styles

* Focus on communication and trust.
* Assign tasks that include clear, specific, and time-bound expectations.
* Allow employees to figure out how they’ll accomplish the task.
* Set up status reports that fit the scope of the assignment but aren’t too burdensome.
* Let employees know that you’re trying to change and give them a safe way to point it out if you slip.

Part 2 - Be a leader

Leadership skills bring more value and will increase satisfaction for everyone, including you. Options include:

* Investing in each employee through coaching, challenging work, and development.
* Removing barriers to success that your team members face.
* Expressing a meaningful vision to your employees.

Below is also an additional related article:

Article: Can a Micromanager be cured

Apple has just released critical security updates for the Windows version of Safari that should be applied promptly for folks using this complementary browser in the Windows environment.

Apple Safari 3.1.1 for Windows - Critical Security Release

Windows XP or Vista Safari -- CVE-ID: CVE-2007-2398

Impact: A maliciously crafted website may control the contents of the address bar

Description: A timing issue in Safari 3.1 allows a web page to change the contents of the address bar without loading the contents of the corresponding page. This could be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered. This issue was addressed in Safari Beta 3.0.2, but reintroduced in Safari 3.1. This update addresses the issue by restoring the address bar contents if a request for a new web page is terminated. This issue does not affect Mac OS X systems.

Windows XP or Vista Safari -- CVE-ID: CVE-2008-1024

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in Safari's file downloading. By enticing a user to download a file with a maliciously crafted name, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of file downloads. This issue does not affect Mac OS X systems.

As Firefox is a popular complementary or stand-alone browser, users should apply this fix and stay up-to-date.  Most users will be automatically updated and they should apply this update if prompted.

Firefox - Security release

Fixed in Firefox

MFSA 2008-20 Crash in JavaScript garbage collector

QUOTE: Fixes for security problems in the JavaScript engine described in MFSA 2008-15 (CVE-2008-1237) introduced a stability problem, where some users experienced crashes during JavaScript garbage collection. This is being fixed primarily to address stability concerns. We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past.

 The good news in this annual survey approach is that folks are more aware of the dangers of password disclosures, as the percentages of folks who would be willing to disclose their password has dropped when compared to prior years.     

However, I do have a weakness for chocolate Wink Smile

People still give passwords for chocolate

QUOTE: A survey by Infosecurity Europe of 576 office workers have found that women far more likely to give away their passwords to total strangers than their male counterparts, with 45% of women versus 10% of men prepared to give away their password, to strangers masquerading as market researches with the lure of a chocolate bar as an incentive for filling in the survey. The survey was actually part of a social engineering exercise to raise awareness about information security. The survey was conducted outside Liverpool Street Station in the City of London.

This year’s survey results were significantly better than previous years. In 2007 64% of people were prepared to give away their passwords for a chocolate bar, this year it had dropped to just 21% so at last the message is getting through to be more infosecurity savvy.

Another slightly worrying fact discovered by researchers is that over half of people questioned use the same password for everything (e.g. work, banking, web, etc.)

Idea This new facility provides tracking of malware developments and is recommended to be added to Favorites or Bookmarks for folks in the security profession.

Malware Threat Center - General Information


QUOTE:  MENLO PARK, CA - SRI International, an independent nonprofit research and development organization, today announced the launch of the Malware Threat Center (http://mtc.sri.com), a website dedicated to fighting malware. SRI's Malware Threat Center posts daily updates of firewall filters, malware-related domain name system (DNS) names, antivirus statistics, intrusion detection system (IDS) signatures, and malware binary data to help network administrators understand current and emerging computer security threats and provide key network defense information that can be configured into security products to help network administrators fend off the latest malware threats.

DBAs and Admins should deploy these patches expediently after lab testing, to ensure the best levels of security and information protection


QUOTE: Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible. This Critical Patch Update contains 41 new security fixes across all products.

The Critical Patch Update Advisory is the starting point for relevant information. It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents. Supported Products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied. Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.

The Critical Patch Update Advisory is available at any of the following locations:

Oracle Technology Network

Oracle, PeopleSoft and JD Edwards products

The next four Critical Patch Update release dates are:

July 15, 2008
October 14, 2008
January 13, 2009
April 14, 2009

Based on ISC and Symantec's warnings below, it appears that MS08-021 is being actively exploited in the wild   It is advised that folks apply the April updates as quickly as possible using the Windows Update process

Microsoft April Security Updates - MS08-021 Exploit in-the-wild

QUOTE: The ThreatCon is currently at Level 2. The DeepSight honeynet has observed in-the-wild exploit attempts targeting a GDI vulnerability patched by Microsoft on April 8, 2008. The malicious image appears to target the Microsoft Windows GDI Stack Overflow Vulnerability (BID 28570).

At least three different sites are hosting the images; two different malicious binaries are associated with the attacks. Analysis of the images has shown that although they appear to be malicious, they do not contain enough data in the associated image property to sufficiently trigger the vulnerability.

We are still investigating as to why this may be the case. Users are advised to apply the MS08-021 patches immediately. These attack attempts highlight the severity of this issue -- it is only a matter of time before new images that successfully trigger the issue are observed in the wild.

More Posts Next page »