March 2006 - Posts

New Bagle, new trick

As reported on the F-Secure Weblog - First things first: admins, block http access from your network to endoliteindia.com.

We saw a new Bagle run start tonight. As usual, it was started by posting a new, undetected downloader to one of the dozens of URLs the already-infected Bagle machines are constantly polling.

The difference this time is that every four minutes the link returns a different binary. Different size, different MD5. This is accomplished by repacking the same file with ASProtect again and again.
Posted Friday, March 31, 2006 5:32 AM by Don | with no comments
Filed under:

Anti-Virus Poll

Users in the Security Forum at DSLreports have been conducting a poll of its users on which Anti-Virus package they use. Thus far, 594 votes have been cast. As of this listing, the following are the top 5 applications.:

1) AVG - 122 (20%)
2) KAV - 101 (17%)
3) NAV - 98 (16%)
4) Avast - 95 (15%)
5) NOD32 - 94 (15%)
Posted Thursday, March 30, 2006 10:31 AM by Don | with no comments
Filed under:

Microsoft Security Advisory Notification

Issued: March 29, 2006

Security Advisories Updated or Released Today

* Security Advisory (917077)
Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution

 - Reason For Update: Advisory updated with an additional FAQ regarding Microsoft Security Advisory 912945.

* Security Advisory (912945)
Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution

 - Reason For Update: Advisory updated to indicate that this
                       non-security update will be included with the
                       IE security update, and that this next security
                       update will address the issues detailed in
                       Microsoft Security Advisory 917077. Also, the
                       advisory has been updated to information
                       customers that a Compatibility Patch will be
                       created that will allow customers to
                       temporarily return IE to the previous
                       functionality for handling ActiveX controls.

Support:
Technical support resources can be found at:
http://go.microsoft.com/fwlink/?LinkId=21131
Posted Thursday, March 30, 2006 3:26 AM by Don | with no comments
Filed under:

F-Secure Messaging Security Gateway Sendmail Vulnerability

Secunia Advisory: SA19450
Release Date: 2006-03-29

Description:
F-Secure has acknowledged a vulnerability in F-Secure Messaging Security Gateway, which can be exploited by malicious people to compromise a vulnerable system.

For more information:
SA19342

The vulnerability affects the following platforms:
* F-Secure Messaging Security Gateway, X200
* F-Secure Messaging Security Gateway, P600 and P800

Solution:
Hotfixes have been distributed automatically by the delivery system.

Original Advisory:
F-Secure:
http://www.f-secure.com/security/fsc-2006-2.shtml
Posted Wednesday, March 29, 2006 5:56 AM by Don | with no comments
Filed under:

S'kiddies get into spyware for just $15

A Russian website is selling a DIY spyware kit, called WebAttacker, for around $15 a throw. The site, which proudly boasts of its creator's credentials in the scumware industry, also offer technical supporter to potential buyers.

The kits come in a script kiddie friendly form with code designed to make the task of infecting computers a breeze. All the buyers need do is send spam messages inviting potential marks to visit a compromised website.

TheRegister

Posted Tuesday, March 28, 2006 6:47 AM by Don | with no comments
Filed under:

Neighborhood watch for phishing launches

CastleCops and Sunbelt Software Announce Anti-Phishing Task Force; Companies Join Forces to Give the Public a Resource to Report and Stop Phishing Scams

CLEARWATER, Fla.--(BUSINESS WIRE)--March 27, 2006--CastleCops, a globally oriented security and privacy site, and Sunbelt Software, a leading provider of Windows security software, announced today a new anti-phishing task force designed to help consumers and businesses combat the unending scourge of phishing scams and online identity theft.

The task force, called the Phishing Incident Reporting and Termination (PIRT) Squad, is a community at CastleCops solely dedicated to taking down phishing sites. The community consists of members who report new phishing scams as well as highly experienced security researchers ("handlers") that handle incoming reports of phishing websites and are responsible for performing immediate action to terminate the criminal activity.

The PIRT Squad works as a complement to existing organizations such as the Anti-Phishing Working Group (APWG). The primary difference between PIRT and other organizations is that PIRT is focused solely on aggressively terminating phishing sites. PIRT will work with other security organizations and, if necessary, law enforcement, to provide information for security and forensic analysis.

"The reason this group was formed is to give consumers direct access to a dedicated task force that will take immediate and aggressive action to shutting down phishing sites," said Paul Laudanski, president of CastleCops.

Press Release

CNet Story

Posted Monday, March 27, 2006 5:47 PM by Don | with no comments
Filed under:

Internet Explorer Unspecified Automatic .HTA Application Execution

Secunia Advisory: SA19378
Release Date: 2006-03-27

Software: Microsoft Internet Explorer 6.x

Description:
Jeffrey van der Stad has reported a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error when handling .HTA applications and allows execution of the .HTA application on the user's system without any user interaction when e.g. visiting a malicious web site.

The vulnerability has been reported in Internet Explorer 6.0. Other versions may also be affected.

Solution:
Do not visit untrusted web sites.

Disabling Active Scripting support may prevent exploitation, but has not been proven.
Posted Monday, March 27, 2006 5:18 AM by Don | with no comments
Filed under:

InfoCon Returning to Green

From the Handler's Diary,
Published: 2006-03-24,
Last Updated: 2006-03-25 00:24:21 UTC by Deborah Hale (Version: 1)

We have decided to return the InfoCon to green for the start of the weekend.  We feel that everyone that is going to has reacted to the latest exploit for IE and wanted to start the weekend in normal mode. 

We do want to remind everyone however that this is a serious problem.  We have received information that at least a dozen sites exist out there that are working the exploits.  The information is also circulating on IRC so might be a good idea to kill IRC until the patches are released and in place.
Posted Saturday, March 25, 2006 8:04 AM by Don | with no comments
Filed under:

Microsoft Security Advisory Notification (917077)

Issued: March 24, 2006

Security Advisories Updated or Released Today

* Security Advisory (917077)

  - Title:    Vulnerability in the way HTML Objects Handle
          Unexpected Method Calls Could Allow Remote
              Code Execution

  - Web site: http://go.microsoft.com/fwlink/?LinkId=63915


  - Reason For Update: Advisory updated with information on
                       limited attacks.

Support:
Technical support resources can be found at:
http://go.microsoft.com/fwlink/?LinkId=21131
Posted Saturday, March 25, 2006 4:47 AM by Don | with no comments
Filed under:

IE exploit on the loose, going to yellow

From the Handler's Diary,
Published: 2006-03-24,
Last Updated: 2006-03-24 04:01:25 UTC by Jim Clausing (Version: 1)

Folks, as Lorna predicted yesterday, it didn't take long for the exploits to appear for that IE vulnerability.  One has been making the rounds that pops the calculator up (no, I'm not going to point you to the PoC code, it is easy enough to find if you read any of the standard mailing lists), but it is a relatively trivial mod to turn that into something more destructive (in fact one of our readers, Matt Davis, has provided us with a version that he created that is more destructive).  For that reason, we're raising Infocon to yellow for the next 24 hours. 

Workarounds/mitigation

Microsoft has posted this and suggests that turning off Active Scripting will prevent this exploit from working.  You could, of course, always use another browser like Firefox or Opera, but remember that IE is so closely tied to other parts of the OS, that you may be running it in places where you don't realize you are.
Posted Friday, March 24, 2006 7:51 AM by Don | with no comments
Filed under:

Researcher Says Intel Macs Could Invite More Exploits

As reported on CRN, Apple's switch from PowerPC to Intel-based Macs could lead to more attacks and cross-platform exploits, according to some researchers and solution providers.

OS X includes features that make it a target for malware, and the Intel-based Macs may be even more vulnerable than their PowerPC predecessors, according to security researcher Kevin Finisterre, who created the three recent versions of InqTana, a proof-of-concept worm that spreads through a vulnerability in the Bluetooth feature of OS X.

Posted Friday, March 24, 2006 5:05 AM by Don | with no comments
Filed under:

Microsoft Security Advisory Notification

Issued: March 23, 2006

Security Advisories Updated or Released Today

* Security Advisory (917077)

  - Title:    Vulnerability in the way HTML Objects Handle
            Unexpected Method Calls Could Allow Remote
              Code Execution

  - Web site: http://go.microsoft.com/fwlink/?LinkId=63915

* Security Advisory (912945)

  - Title:    Non-Security Update for Internet Explorer

  - Web site: http://go.microsoft.com/fwlink/?LinkId=59550

  - Reason For Update: Advisory updated to highlight where
                   customers can download the update.

Support:
Technical support resources can be found at:
http://go.microsoft.com/fwlink/?LinkId=21131

Posted Friday, March 24, 2006 4:17 AM by Don | with no comments
Filed under:

RealNetworks Products Multiple Buffer Overflow Vulnerabilities

Secunia Advisory: SA19358
Release Date: 2006-03-23
Description:
Some vulnerabilities have been reported in various RealNetworks products, which can be exploited by malicious people to compromise a user's system.

1) A boundary error when processing SWF files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user's system.

2) A boundary error within the handling of web pages can be exploited via a specially crafted web page on a malicious server to cause a heap-based buffer overflow. This may allow execution of arbitrary code on the user's system.

3) A boundary error in the processing of MBC files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user's system.

A weakness when executing other programs is caused due to incorrect use of the "CreateProcess()" API. This may allow execution of an arbitrary program on the system, if this can be placed in the program path.

The following products are affected by one of more of the vulnerabilities:
* RealPlayer 10.5 (6.0.12.1040-1348)
* RealPlayer 10
* RealOne Player v2
* RealOne Player v1
* RealPlayer 8
* RealPlayer Enterprise
* Rhapsody 3 (build 0.815 � 1.0.269)
* Mac RealPlayer 10 (10.0.0.305 - 331)
* Mac RealOne Player
* Linux RealPlayer 10 (10.0.6)
* Helix Player (10.0.6)
* Linux RealPlayer 10 (10.0.0 - 5)
* Helix Player (10.0.0 - 5)

Solution:
See patch matrix in vendor advisory for details.

Provided and/or discovered by:
The vendor credits the following people:
* John Heasman, NGS Software.
* Greg MacManus, iDEFENSE Labs.
* Sowhat

Original Advisory:
RealNetworks:
http://service.real.com/realplayer/security/03162006_player/en/
http://service.real.com/realplay.../security/enterprise_031606.html
http://service.real.com/help/faq/security/security111605.html
Posted Thursday, March 23, 2006 12:17 PM by Don | with no comments
Filed under:

Sendmail Signal Handling Memory Corruption Vulnerability

Secunia Advisory: SA19342
Release Date: 2006-03-23

Description:
ISS X-Force has reported a vulnerability in Sendmail, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a signal handling error when receiving and processing mail data from clients. This can be exploited to corrupt memory by sending specially crafted data at certain time intervals.

Successful exploitation allows execution of arbitrary code with the privileges of the sendmail server daemon.

The vulnerability has been reported in the following products:
* Sendmail 8.13.5 and prior
* Sendmail 8.12.11 and prior
* Sendmail Sentrion 1.1
* Sendmail Switch 2.x, 3.0.x, and 3.1.x (Solaris, Linux, AIX, and HP-UX)
* Sendmail Managed MTA 2.x, 3.0.x, and 3.1.x (Solaris, Linux, AIX, and HP-UX)
* Sendmail Multi-Switch 2.x, 3.0.x, and 3.1.x (Solaris, Linux, AIX, and HP-UX)
* Sendmail Message Store/SAMS 1.2.x, 2.0.x, 2.1.x, and 2.2.x (Solaris, Linux, AIX, and HP-UX)
* Intelligent Quarantine 3.0 (Solaris or Linux)

Solution:
Update to version 8.13.6 or apply patch.
Posted Thursday, March 23, 2006 5:34 AM by Don | with no comments
Filed under:

Microsoft Internet Explorer "createTextRange()" Code Execution

Description:
Secunia Research has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in the processing of the "createTextRange()" method call applied on a radio button control. This can be exploited by e.g. a malicious web site to corrupt memory in a way, which allows the program flow to be redirected to the heap.

Successful exploitation allows execution of arbitrary code.

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview. Other versions may also be affected.

Solution:
Do not visit untrusted web sites.
http://secunia.com/advisories/18680/
Posted Wednesday, March 22, 2006 2:55 PM by Don | with no comments
Filed under:

Major advertisers outed for financing adware

Hoping to shame advertisers, the Center for Democracy and Technology released a report on Monday naming companies that apparently have bought space on adware affiliate networks.

The report identifies major companies whose ads have appeared on 180solutions adware affiliate network in hopes of convincing the companies to increase control over their advertising. Generally, firms do not know where their ads will appear, because advertising agencies are responsible for determining how to spend marketing dollars. For online advertising, such ad agencies buy space through ad networks that place ads among a variety of sites or might resell the contract to another ad network. In some cases, the contract ends up with an adware affiliate network.

SecurityFocus

Posted Wednesday, March 22, 2006 5:41 AM by Don | 1 comment(s)
Filed under:

Trend Micro Eyes Fee-Based Security Service

Security software maker Trend Micro plans to challenge larger rivals Microsoft and Symantec with its own subscription-based service aimed at the fast-growing consumer anti-virus market, company executives said on Tuesday.

Both Microsoft and Symantec have recently announced plans to offer a one-stop service delivered over the Web that includes anti-virus, firewall and anti-spyware software amid a rising tide of cyber threats.

VARBusiness

Posted Tuesday, March 21, 2006 7:09 PM by Don | with no comments
Filed under:

New Spycar software will test antispyware

Does your antispyware software really work? With security experts warning of "rogue" antispyware products that sometimes do more harm than good, two security researchers have decided to take matters into their own hands.

They're working on a new software product, called Spycar, that will test the effectiveness of antispyware products. "We decided the best way to do that would be to write a suite of tiny custom programs that each do a tiny spyware-like thing," said Tom Liston, a senior security consultant with Intelguardians LLC, based in Washington, DC. The software is being developed by Liston and Ed Skoudis, also an Intelguardians security consultant.

While Spycar won't help users remove rogue antispyware products, it will give them a sense of whether they have a problem, Liston said.
Spycar will be available free of charge in May. More information will be made available on the http://www.intelguardians.com Web site at that time.

InfoWorld

Posted Tuesday, March 21, 2006 5:51 AM by Don | with no comments
Filed under:

Microsoft Targets Cybercriminals With Launch of Global Phishing Enforcement Initiative

Microsoft Corp. announced that by the end of June 2006 it will have initiated legal actions on more than 100 cases in EMEA against individuals suspected of committing online fraud; 53 of these will have already started by the end of March 2006.
Full Story Here
Posted Monday, March 20, 2006 3:31 PM by Don | with no comments
Filed under:

phpBB mass hack being prepared?

During the last few days a bot using a name FuntKlakow, has been registering to maybe thousands of phpBB forums. Some speculate that the bot's owners are preparing to exploit an unreported vulnerability.
digg story | read more
Posted Monday, March 20, 2006 7:34 AM by Don | 1 comment(s)
Filed under:
More Posts Next page »