July 2009 - Posts

Idea CERT is charged with providing response support and defense against cyber attacks for the US Government. These tips and techniques provide valuable safeguards for a safer Internet experience.  IE and Firefox protection are discussed in-depth.

CERT - Excellent advice on how to secure your browser
http://www.us-cert.gov/reading_room/securing_browser/

QUOTE: This paper will help you configure your web browser for safer internet surfing. It is written for home computer users, students, small business workers, and any other person who works with limited Information Technology (IT) support and broadband (cable modem, DSL) or dial-up connectivity. Although the information in this document may be applicable to users with formal IT support as well, organizational IT policies should supersede these recommendations. If you are responsible for IT policies for your organization, please consider implementing these recommendations as part of your policy.

 

 

 

Time Please be prepared to install these updates as applicable on July 28th.  Most folks will do so automatically and this notification lets us know these updates are coming.

Microsoft Special Out-of-Band Patch Tuesday targeted for 07/28/2009
http://isc.sans.org/diary.html?storyid=6859
http://blogs.technet.com/msrc/archive/2009/07/24/advance-notification-for-july-2009-out-of-band-releases.aspx
http://www.microsoft.com/technet/security/bulletin/ms09-jul-ans.mspx

QUOTE: While we can’t go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications. The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin. The Internet Explorer update will also address vulnerabilities rated as Critical that are unrelated to the Visual Studio bulletin that were privately and responsibly reported.

Idea Polymorphism is a technique used to create unique variants from the same malware agent.  for example, through random number generators and other techniques, each wave of attacks can be slightly different.

This approach is designed to trick AV scanning engines and sometimes slightly different AV signatures must be added. AV detection is very complex and a must have on every PC and Server. 

The 22 samples and graphs in this article reflect the difficulty AV vendors have in keeping up on a daily basis.  It's why we must also update our PCs as well.

AV-Test - 22 million malware samples in June due to Polymorphism
http://www.avertlabs.com/research/blog/index.php/2009/07/24/counting-badness/

QUOTE: AV-Test counts unique binaries. Unique means different cryptographic hashes. So the same Trojan, obfuscated with 10 different packers results in 10 unique binaries. This is often due to the impact of server-side polymorphism, where you get a unique binary every time you download a file

AV-Test’s count has come close to 22,000,000 samples in June. We are now seeing a major increase in the monthly growth, topping one million new samples each month in AV-Test’s count. And this time it’s not only samples (the same piece of malware packed over and over again) but also actual new malware.

So keep your machine updated, not just AV and the OS but all applications. Watch out where you surf. (SiteAdvisor may help you there.) And take care what links or attachments you trust in emails and all other forms of messages. All this will help you enjoy the summer!

Person Person Person Always be careful with sites that you join and how they use your email account.  Also, avoid sharing it publicly as it could be potentially misused.

On social Web, beware of address book mining
http://www.msnbc.msn.com/id/32088728/ns/business-consumer_news/

QUOTE: When you join a new Web site, how often do you read the terms and conditions before you click the accept button? Most people probably answer never or rarely. And that’s understandable. Many just want to get on the site. Who wants read a document that goes on and on in language that only a lawyer could understand? That can be a big mistake. You never know what could be tucked in there. When you go to a new site, make sure you know what you are allowing them to do with your personal information.

Lightning So far, only a handful of sites have been discovered, but there's a potential for these new SWF exploits to spread further.  Keep AV protection updated and avoid all suspicious attachments (PDFs in this case) and avoid usual websites as well.

New attacks exploit vulnerability in fully-patched Adobe Flash
http://www.theregister.co.uk/2009/07/22/adobe_flash_attacks_go_wild/

QUOTE: Although the exploit can be triggered using malicious PDF files opened by Adobe's Reader application, a more common technique uses a 1.1 kilobyte Adobe Flash file to target the vulnerability, says Paul Royal, principal researcher for Purewire, a company that protects web users against malicious sites. At the moment, the number of attacks is small, but that's likely to change.

"So far, I've seen just a handful of websites offering this zero-day exploit, although the number will obviously increase the minute that a public proof of concept version of the weaponized vulnerability gets published," Royal tells The Register. "Once this thing hits Milw0rm you'll see thousands of sites."

Adding to the urgency, none of the major anti-virus engines were detecting the poisoned SWF files at time of writing. What's more, some of the sites serving the malicious, one-frame movie are legitimate websites that have been compromised, making it difficult for people to protect themselves against the attack.

 

 Google Chrome was recently updated to fix security vulnerabilities and users will be automatically updated

Google Chrome 2 - Recent Security release
http://isc.sans.org/diary.html?storyid=6832

QUOTE: On Thursday, July 16, Google Chrome 2.0.172.37 was released, it fixed what Google calls a Critical severity vulnerability, Memory corruption in the browser process, and a High severity vulnerability, Heap overflow with Javascript regular expressions. They report the vulnerabilities were identified by the  "Google Chrome security team".

Trend documents that several website in India were impacted by recent SQL injection attacks.

New SQL Injection attacks on India websites
http://blog.trendmicro.com/massive-sql-injection-ensues/
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=TROJ_AGENT.HOZZ

QUOTE: With the growing concern with numerous vulnerabilities, just this afternoon, Trend Micro Research Project Manager, Ivan Macalintal, stumbled on a somewhat regional fallout of this SQL injection in India threading through numerous compromised government, tourism, popular media, and other sites.

A buffer overflow vulnerability has been discovered and FF users should look for a patch soon. A proof-of-concept exploit has been developed and so far no known attacks in the wild have been documented.  Some mitigation techniques include: Noscript, AV protection, and safe practices

Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow Vulnerability
http://isc.sans.org/diary.html?storyid=6829
http://www.securityfocus.com/bid/35707/discuss

QUOTE: Various analysts and sites have recently confirmed a vulnerability is present in FireFox 3.5.1 that has had exploit PoC released. When exploited, the vulnerability can lead to system compromise or induce a DOS. No Patch is available.

Star As an exploit has been recently created, it's important for all users to update to the later versions.  Most folks will autoupdate and they should accept these changes right away

Firefox 3.51 released to correct critical JS vulnerability
http://isc.sans.org/diary.html?storyid=6817
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
http://en-us.www.mozilla.com/en-US/firefox/3.5/releasenotes/
http://www.mozilla.org/security/announce/2009/mfsa2009-41.html

QUOTE: If you are a Firefox 3.5 user, update now. And remember, if you applied the work around by disabling the JIT in about:config, remember to turn it back on!

 

Firefox users should be on the lookout for an update soon, as noted in the Mozilla blog:

Firefox 3.5 - Critical JavaScript POC Exploit developed
http://isc.sans.org/diary.html?storyid=6796
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
http://www.h-online.com/security/First-Zero-Day-Exploit-for-Firefox-3-5--/news/113761

QUOTE: The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. An update does not currently exist. So far there are no reports of sites on the internet being first to use the hole for active infections and exploitation of Windows PCs. Since the published exploit uses PC heap spraying under JavaScript, disabling JavaScript should act as a stop gap. When the exploit was tested with Windows 7 RC1, after a short time, the browser displayed a dialogue offering to abort the script.

Star WORKAROUNDS

1. The vulnerability can be mitigated by disabling the JIT in the JavaScript engine (see Mozilla link above)

2. No Script is also a good security add-on that will alert users whether JS is present on a site by site basis: 

http://noscript.net/

 

With active DirectShow and other attacks in the wild, it is beneficial for all corporate and home users to apply these protective updates promptly.

Star QUOTE: The full July Security Bulletin is available at the following Web page: 

http://www.microsoft.com/technet/security/bulletin/MS09-Jul.mspx

Star ISC has 2 PATCH NOW recommendations
http://isc.sans.org/diary.html?storyid=6790  


==================================
New Security Bulletins - July 2009
==================================

Microsoft is releasing the following six new security bulletins for July 2009:

----------------------------------
Bulletin ID: MS09-028
Bulletin Title: Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
Max Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows 2000, Windows XP, Windows Server 2003

----------------------------------
Bulletin ID: MS09-029
Bulletin Title: Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)
Max Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008

----------------------------------
Bulletin ID: MS09-030
Bulletin Title: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (969516)
Max Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office Publisher 2007

----------------------------------
Bulletin ID: MS09-031
Bulletin Title: Vulnerability in Microsoft ISA Server 2006 Could Cause Elevation of Privilege (970953)
Max Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Internet Security and Acceleration Server 2006

----------------------------------
Bulletin ID: MS09-032
Bulletin Title: Cumulative Security Update of ActiveX Kill Bits (973346)
Max Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows XP, Windows Server 2003

----------------------------------
Bulletin ID: MS09-033
Bulletin Title: Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856)
Max Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Virtual PC 2004, Virtual PC 2007, Virtual Server 2005

 

Lightning The ISC is highlighting these zero-day attacks with a rare "Yellow Status" condition for 24 hours, as more active use in-the-wild may be occurring.  AV protection is emerging and users should stay be careful in accessing unusual websites presented to them in searches, email, IM, or other sources until this is patched.

Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution
http://isc.sans.org/diary.html?storyid=6778
http://isc.sans.org/diary.html?storyid=6787
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1361617,00.html
http://www.sophos.com/blogs/gc/g/2009/07/13/day-vulnerability-microsoft-owc-discovered/
http://www.sophos.com/blogs/sophoslabs/v/post/5320


QUOTE: Attack vectors used to exploit this vulnerability

1.The now known public attempts to exploit the vulnerability, attackers just modify the code with a fresh download and payload to slightly modified malware.

2.A .cn domain using a heavily obfuscated version of the exploit - which may become an attack kit (think MPACK)and is similar to recent DirectShow attacks.

3.A highly targeted attack against an organization earlier today who received a Microsoft Office document with embedded HTML.  This one was particularly nasty, it was specifically crafted for the target - with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient. Analysis of the document and secondary payload found the attacker used a firewall on the malicious server so that all IP traffic outside of the targeted victim's domain/IP range would not reach with the server.

IE zero-day domains to avoid
http://isc.sans.org/diary.html?storyid=6739

Microsoft Advisory 973472
http://www.microsoft.com/technet/security/advisory/973472.mspx

Exploit-CVE2009-1136 -- McAfee protection emerging (DAT 5676)
http://vil.nai.com/vil/content/v_179225.htm

Idea AV products use sophisticated pattern matching, MD5 hash totals, and other techniques to detect hundreds of thousands of different viruses.  As they can only use about 100 bytes of information per virus signature, sometimes letigimate software will fall into a matching pattern and it will be detected as a false positive.

False positives can occur occasionally with any AV product and when viruses are detected users should pay close attention and record the name of any viruses found as noted in the MSNBC article. Sometimes a later search at the AV companies website may highlight any false positives detected.  If it's a true malware incident, noting the virus name might be valuable to knowing whether any information was transmitted from the compromised PC.

Computer Associates apologize for False Positive
http://isc.sans.org/diary.html?storyid=6775
http://www.msnbc.msn.com/id/31853138/ns/technology_and_science-security/
http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=212102

QUOTE: Antivirus software cuts two ways. It's great at blocking known viruses, but it can sometimes misfire, mistakenly flagging clean files as malicious. That sends a computer into a tailspin trying to clean up stuff that's supposed to be on there. The problem can crash a computer, and fixing it can be a bear. An example emerged this week when users of antivirus CA Inc. watched as their machines warned of an infection and started quarantining files that turned out to be legitimate.

Lightning New Koobface variants are sending malicious URLs to Twitter users.  AV protection has emerged for many products since these attacks surfaced on Friday and users should avoid unusual URLs in social networking systems, email, instant messaging, or any other environment. Twitter has been deactivating infected accounts to gain better control from these attacks.

Twitter Security Alert on Koobface
http://status.twitter.com/post/138789881/koobface-malware-attack
http://blog.trendmicro.com/koobface-increases-twitter-activity/

QUOTE: Some users’ PCs have been infected with a variant of the Koobface malware. This malware sends bogus tweets when the user logs into Twitter. We are currently suspending all accounts that we detect sending such bogus tweets. If we suspend your account, we will send you an email notifying you of the suspension. This email also includes tips for removing the malware from your PC.

What is Koobface
http://en.wikipedia.org/wiki/Koobface

QUOTE: Koobface, an anagram of Facebook ("face" and "book" change order and "koob" is "book" in reverse), is a computer worm that targets the users of the social networking websites Facebook, MySpace [1], hi5, Bebo, Friendster and Twitter. Koobface ultimately attempts, upon successful infection, to gather sensitive information from the victims such as credit card numbers.

Idea Recent evaluations of DDos attacks note that there is NO EVIDENCE that North Korea has launched a cyberwar against the United States.  A sophisticated botnet is launching these denial-of-service attacks where websites are so overwhelmed with traffic, users cannot properly connect.

Recent DDos attacks on US and South Korea government web sites
http://sunbeltblog.blogspot.com/2009/07/ddos-global-hysteria.html
http://isc.sans.org/diary.html?storyid=6757

QUOTE: I know of not a shred of evidence that this bot is from North Korea. It would take considerable research to ascertain the original source (the relevant IPs to the malicious code are in several places — Florida and Germany). What happened here is trivial stuff in the security world: A bot got on between 60,000 to 100,000 PCs, and started launching DDoS attacks.

More Posts Next page »