October 2007 - Posts

• Storm Worm - Excellent Powerpoint Presentation from UCSD

  This 1.4M powerpoint presentation contains 60 slides and was recently referenced in Sunbelt and John Levine's blogs. http://weblog.johnlevine.com/Email/storm.html http://sunbeltblog.blogspot.com/2007/10/good-preso-on-storm.html   EXCELLENT Powerpoint Presentation - Download Link  http://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt QUOTE: Last weekend, Brandon Enright of UC San Diego gave a informal talk at the Toorcon conference in which he reported on his analysis of the Storm botnet. According to his quite informative slides, Storm has evolved quite a lot over the past year, with both upgrades to the underlying engine and a variety of applications, most of which involve sending spam. Posted Oct 31 2007, 08:23 PM by harry with 2 comment(s)

• Storm Worm - New Halloween based attacks

  Everyone should avoid e-cards or other "fun links" associated with Halloween.  The Storm Worm has also been adapted to trick folks as noted by Websense.  Clicking on these links could lead to hours of restoration and repair work. Storm Worm - New Halloween based attacks http://www.websense.com/securitylabs/alerts/alert.php?AlertID=814 QUOTE: Websense® Security Labs™ has confirmed that the Storm worm has once again switched lure tactics. The worm has now adopted a Halloween twist in its attempts to infect users with malicious code. The first copies of the new emails began going out just before 9:00am PST on Tuesday, October 30th. As with previous Storm emails, various subjects and bodies will be used. Here is one example email: Example of new Halloween based attacks   Subject:  Nothing is funnier this Halloween Body:    Come watch the little skeleton dance.              (Malicious URL Removed) Posted Oct 31 2007, 03:55 PM by harry with 4 comment(s)

• An old IE Trick -- Script Obfuscation with null bytes between characters

  This interesting finding could lead to malware possibly being bypassed when processing web pages containing underlying scripts embedded in the HTML.    A000n0000 0000O000l00d00 0I000E000 00T0r0000i0000c000k http://blog.didierstevens.com/2007/10/23/a000n0000-0000o000l00d00-0i000e000-00t0r0000i0000c000k/ http://it.slashdot.org/article.pl?sid=07/10/29/1747237 QUOTE: When I found a malicious script riddled with 0×00 bytes, SANS handler Bojan Zdrnja explained to me that this was an old trick. When rendering an HTML page, Internet Explorer will ignore all zero-bytes (bytes with value zero, 0×00). Malware authors use this to obscure their scripts. But this old trick still packs a punch. When I remove all obscuring zero-bytes from this script, things get better: 25 out of 32 AV products detect it. But what happens when I add more zero-bytes to the script?  Even more AV are fooled! Gradually adding more zero-bytes makes the detection ratio go down. And at 254 zero-bytes between the individual characters of the script, McAfee VirusScan is the only AV to still detect this obscured script. One byte more (255 zero-bytes), and VirusScan doesn’t detect the script anymore.  No AV on VirusTotal detects this malware obscured with 255 zero-bytes (or more). But for IE, this obscured HTML poses no problem, it still renders the page and executes the script. Posted Oct 30 2007, 10:09 PM by harry with no comments

• New Halloween e-card security threats

  Websense has warned of a new HTML based e-card in the Spanish language.  It is designed to load a Trojan horse that can steal banking account credentials from the infected PC.  More threats could potentially emerge, so please be careful out there. New Halloween e-card threats http://www.websense.com/securitylabs/alerts/alert.php?AlertID=813 Sample e-card from Websense http://www.websense.com/securitylabs/images/alerts/halloween2007.png QUOTE: Websense® Security Labs™ has discovered a new Trojan Horse information stealer that is being emailed out as a Halloween Greeting Card in Mexico.  To date we have seen four unique sites being spammed out all with the same binary file. They were in Korea, Brazil, and Russia, and were all up and running at the time of this alert. The file is called "hallowenDay.exe". It is also poorly detected by anti-virus signatures. Assuming users access the site and select to run the file a Trojan Horse is downloaded onto their machine which is designed to steal banking information from users, the file appears to also be packed with a unique custom packer. We expect to see additional email lures and malicious websites on our radar with Halloween night quickly approaching. The email is written in HTML and has a variety of subject lines. Posted Oct 30 2007, 03:27 PM by harry with 10 comment(s)

• Trend Micro reports 200% increase in Severe Malware Infections

  This chart denotes that rootkits, botnets, and other advanced attacks have increased two-fold during the past year.  As actual infections took place, it signifies that malware authors are using improved social engineering tactics and technical innovations for malware to slip through defense systems (e.g., massive spam attacks, crafted exploits, etc).  This finding illustrates that it's more important than ever to stay up-to-date with security protection and to exercise caution in email, IM, and website visitations.  Trend Micro reports 200% increase in Severe Malware Infections http://blog.trendmicro.com/200-growth-in-severe-malware-infections/ QUOTE: An infections graph released by the Trend Micro Threat Analytics shows that the growth in severe malware infections grew 200% throughout 2007.   Posted Oct 29 2007, 07:56 PM by harry with 4 comment(s)

• Major Malicious PDF attack underway using Adobe exploit

  Please be very cautious with any PDF files received in EMAIL messages    If you use Adobe, it's very important to move to the latest version 8.1.1 plus keep AV protection updated. Malicious PDF files being spammed out in volume http://www.f-secure.com/weblog/archives/00001303.html http://www.f-secure.com/v-descs/exploit_w32_adobereader_k.shtml http://www.avertlabs.com/research/blog/index.php/2007/10/24/pdf-mailto-exploit-seen-in-wild-today/ http://blogs.zdnet.com/security/?p=614 http://www.microsoft.com/technet/security/advisory/943521.mspx QUOTE: Malicious PDF files (report.pdf or debt.2007.pdf or overdraft.2007.10.26.pdf, etc) have been massively spammed through email during last hour and the spam run is still continuing. The PDF is spiced with CVE-2007-5020 exploit that downloads ms32.exe that downloads more componets. At this point it's not clear yet what is the final payload of the malware, because of missing files in the download chain. We are investigating further. The subjects for the spam messages include: Your credit report Your credit points Your balance report Personal Financial Statement Personal Credit Points Personal Balance Report Your Credit File Balance Report   Trend's Exploit Detection http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=EXPL%5FPIDIEF%2EC Trend - Behavioral Diagram http://www.trendmicro.com/vinfo/images/EXPL_PIDIEF_C_BD.gif Adobe Bulletin http://www.adobe.com/support/security/bulletins/apsb07-18.html Posted Oct 26 2007, 09:02 PM by harry with 9 comment(s)

• Storm worm strikes with DDoS attacks if researchers attempt to discover its origin

  The Storm worm botnet is so well protected that it's central servers and malware authors have remained anonymous.  While it uses fast-flux servers that are ever changing, the Storm worm client can launch a DDoS based attack if researchers try to reverse engineer the code to determine how it works.   Storm worm strikes back if researchers attempt to discover its origin http://www.networkworld.com/news/2007/102407-storm-worm-security.html   The Storm worm is fighting back against security researchers that seek to destroy it and has them running scared, Interop New York show attendees heard Tuesday. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says Josh Corman, host-protection architect for IBM/ISS, who led a session on network threats. A recently discovered capability of Storm is its ability to interrupt applications as they boot up and either shut them down or allow them to appear to boot, but disable them. Users will see that, say, antivirus is turned on, but it isn’t scan for viruses, or as Corman puts it, it is brain-dead. "It’s running, but it’s not doing anything. Posted Oct 25 2007, 04:38 PM by harry with 3 comment(s)

• Cyber-Security Month - CIO Magazine Articles

  October is Cyber-Security month and CIO Magazine has published some excellent articles Who's Stealing Your Passwords? Global Hackers Create a New Online Crime Economy http://www.cio.com/article/print/135500 Hacker Economics 2: The Conspiracy of Apathy http://www.cio.com/article/print/135550 Hacker Economics 3: MPACK and the Next Wave of Malware http://www.cio.com/article/print/135551 A Layman's Glossary of Malware Terms http://www.cio.com/article/print/135453 How Gozi's First Second Unfolds http://www.cio.com/article/print/135451 Death by iFrame http://www.cio.com/article/print/135452 Posted Oct 24 2007, 11:30 PM by harry with 1 comment(s)

• Real Player - Security Release for critical ActiveX vulnerability

  The Real Player security patch was issued promptly by the vendor and should be applied expediently. Real Player - Security Release for critical ActiveX vulnerability http://secunia.com/advisories/27248/ Solution - Apply patch for RealPlayer 10.5 and 11 beta: http://service.real.com/realplayer/security/191007_player/en/securitydb.rnx Posted Oct 22 2007, 02:14 PM by harry with no comments

• Storm Worm - Now infects PC with different file names

  When cleaning Storm worm infections, the file names have changed for newer variants and the most up-to-date standalone cleaner should be used. Storm Worm - Now infects PC with different file names http://www.avertlabs.com/research/blog/index.php/2007/10/21/nuwar-new-file-names/ QUOTE: We all know that Nuwar aka Storm gang has been continuously changing their spam email text, download sites, executables, network traffic patterns etc in their efforts to penetrate through the security defenses at various layers, all throughout this year. I had a chance to briefly look at a ‘fresh’ Nuwar sample this weekend. It is interesting that they have now also changed the names of files Nuwar drops. It now drops noskrnl.exe, noskrnl.sys and noskrnl.config instead of Spooldr.exe, Spooldr.sys, and Spooldr.ini correspondingly. It also tried to actively propagate by coping itself on the floppy drive, which is new. This site is one of my favorite links for locating malware cleaning facilities: GREAT SITE FOR FREE VIRUS REMOVAL TOOLS (see links on left top side -- "Free Protection and Removal Tools") http://www.virusintel.com/tiki-index.php Posted Oct 22 2007, 02:02 PM by harry with 3 comment(s)

• iPhone unpatched vulnerability and Exploit

  Users should be not open any untrusted TIFF images using iPhone's Safari web browser and watch for available security patches to be released by Apple.  iPhone unpatched vulnerability and Exploit http://isc.sans.org/diary.html?storyid=3517 http://secunia.com/advisories/27213/ http://secunia.com/cve_reference/CVE-2007-5450/ Description: A vulnerability has been reported in Apple iPod touch and Apple iPhone, which potentially can be exploited by malicious people to compromise a vulnerable device. The vulnerability is caused due to an error in the processing of TIFF images and can potentially be exploited to execute arbitrary code when a specially crafted TIFF image is viewed, e.g. in the Safari web browser. The vulnerability is reported in iPod touch version 1.1.1 and iPhone version 1.1.1. Other versions may also be affected Solution: Do not browse untrusted web sites and do not open untrusted TIFF images. Posted Oct 19 2007, 09:17 PM by harry with 1 comment(s)

• Real Player - Zero Day Exploit circulating

  Real Player - Zero Day Exploit circulating A new zero day Real Player exploit is reported to be actively circulating which uses an ActiveX control vulnerability. Real player users the ActiveX control to determine functionality and the maliciously crafted version can allow malware to be automatically installed. Users should avoid or be careful with all Real player files until this is fixed. A killbit can be set to deactivate the ActiveX control as noted below. Real Player - Zero Day Exploit circulating http://www.symantec.com/enterprise/security_response/weblog/2007/10/realplayer_exploit_on_the_loos.html http://www.avertlabs.com/research/blog/index.php/2007/10/19/realplayer-zero-day-exploit-hits-the-web/ http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9043319 http://www.securityfocus.com/bid/26130 QUOTE: Attackers are exploiting a zero-day vulnerability in RealPlayer in order to infect Windows machines running Internet Explorer, Symantec Corp. said late Thursday. The security company issued an alert that rated the threat with its highest possible score.  According to a warning issued to customers of its DeepSight threat network, Symantec said an ActiveX control installed by RealNetworks Inc.'s RealPlayer program is flawed. When combined with Microsoft Corp.'s Internet Explorer (IE) browser -- which relies on ActiveX controls to extend its functionality -- the bug can be exploited and malicious code downloaded to any PC that wanders to a specially crafted site. KILLBIT CAN BE SET: The vulnerability lies in a RealPlayer ActiveX control, and can be mitigated by setting the appropriate kill bit via the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} KB Article - How to set Killbit for ActiveX objects http://support.microsoft.com/kb/240797 Posted Oct 19 2007, 07:16 PM by harry with 1 comment(s)

• Stock spam - New MP3 version will try to talk you into it

  These email messages should be blocked or deleted if found. The advice is always misleading and folks are better served by researching stock information on legitimate websites.    Stock spam - New MP3 version will try to talk you into it  http://www.gfi.com/news/en/mp3spam.htm  http://www.vnunet.com/vnunet/news/2201466/pump-dump-spammers-tell-users  http://www.symantec.com/enterprise/security_response/weblog/2007/10/mp3_version_of_pumpanddump_sto.html  http://www.google.com/search?hl=en&q=mp3+stock+spam    QUOTE:  MP3 Version of Pump-and-Dump Stock SpamPump-and-dump stock spam is a classic example of sophistication and diversity of spam techniques. Recently the pump-and-dump spammers have started using mp3 files as a new method of spreading stock spam. In the latest observations we’ve seen an mp3 file as an attachment in the body of an email message – without any content – and the subject line usually includes “RE:”, “FW:”, or is sometimes just blank. The “From:” address is usually random. Another feature of this new pump-and-dump stock attack is that the mp3 files have random names, such as the following examples:    "ciara.mp3"  “elvis.mp3"  "crazylady.mp3"  "chrisbrown.mp3  “jillscott.mp3"  "crush.mp3"    The average file size is approximately 63.3 kb, with the garbled stock tip lasting for about 30 seconds. The Audio content sounds something like the below example: “Hello, this is an Investor alert. nnnnn Inc. has announced it is ready to launch its new nnnnn.com Web site. Already a huge success in Canada, we are expecting amazing result in USA. Go read the news and hit on nnnnn that Symbol get it nnnnn Thank you” Posted Oct 19 2007, 05:13 PM by harry with 1 comment(s)

• Firefox 2.0.0.8 - Security Release

  All Firefox users should move to the latest release for improved security.  Most users will be prompted to autoupdate and these security improvements should be completed as soon as possible. Firefox 2.0.0.8 - Security Release http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.8 Mozilla Foundation Security Advisory - Fixed in Firefox 2.0.0.8 MFSA 2007-36 URIs with invalid %-encoding mishandled by Windows MFSA 2007-35 XPCNativeWrapper pollution using Script object MFSA 2007-34 Possible file stealing through sftp protocol MFSA 2007-33 XUL pages can hide the window titlebar MFSA 2007-32 File input focus stealing vulnerability MFSA 2007-31 Browser digest authentication request splitting MFSA 2007-30 onUnload Tailgating MFSA 2007-29 Crashes with evidence of memory corruption Posted Oct 19 2007, 04:47 PM by harry with no comments

• Oracle Quarterly Updates - 51 Security vulnerabilities will be patched

  Oracle DBAs and system administrators should pilot test and quickly deploy the quarterly security updates as applicable Related Article http://news.yahoo.com/s/pcworld/20071015/tc_pcworld/138431   Oracle - Quarterly Release Links http://www.oracle.com/technology/deploy/security/alerts.htm Oracle - October 2007 Security release details http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html QUOTE: Oracle Corp. will release security updates for its products next week fixing 51 vulnerabilities in its products.  Included in the Critical Patch Update, set to be released Tuesday, will be critical updates for the company's flagship Oracle Database. Twenty-seven database bugs will be fixed, but five of the bugs can be "exploited over a network without the need for a username and password," Oracle said in a note on next week's patches. Posted Oct 19 2007, 04:38 PM by harry with no comments

• Storm Worm - New encrypted packets and I-Frame injection version coming

  Recently, we may have been in "calm before the storm", as e-card attacks have diminished some. These 3 blog posts point to more innovation in new attacks that could be coming soon:    Storm Worm - New encrypted packets and I-Frame injection version coming  http://www.symantec.com/enterprise/security_response/weblog/2007/10/strengthening_storm_almost_hur.html  http://www.secureworks.com/research/blog/index.php/2007/10/15/the-changing-storm/  http://blogs.pcmag.com/securitywatch/2007/10/the_gathering_storm.php    QUOTE:    Strengthening Storm – Almost Hurricane?   The new Storm worm variants being seen these days have yet again evolved and are gaining strength. Well, at least in encryption technology. The P2P UDP packets (made up of the header and payload) are now encrypted using a 40-byte key. As our friends at Secure Works pointed out here, this is definitely good news for network administrators who have to deal with legitimate P2P overnet traffic.   The encryption is trivial and isn't the only new thing found in this variant. It seems to have some new techniques for propagation. Firstly, it is able to scan the file system and drop an executable into any folder with at least one .exe file. Secondly, the worm is able to harvest email addresses from the file system and send spam to those addresses. Lastly, it is able to search for .htm, .html, and .php files and inject malicious IFRAME code into them Posted Oct 18 2007, 06:58 PM by harry with no comments

• Opera 9.24 - Recently released with security improvements

  Opera browser users should upgrade to the latest version, as the following security improvements have been made QUOTE:   Security Fixed an issue where external news readers and e-mail clients could be used to execute arbitrary code, as reported by Michael A. Puls II. See our advisory. Fixed an issue where scripts could overwrite functions on pages from other domains. See the advisory. Issue reported to Opera by David Bloom. Opera 9.24 for Windows is available for download   Posted Oct 18 2007, 06:01 PM by harry with no comments

• Storm Worm - Comprehensive Analysis by Cyber-TA

  One of the most technical and in-depth analysis of the Storm Worm botnet can be found in the links below. Every new development should be watched by security professionals, as these constant attacks use convincing and innovative social engineering schemes (e.g., e-cards).  Once a workstation becomes infected, it becomes a member of the botnet consisting of at least 1.6 PCs.  These infections are also difficult to detect and clean as advanced rootkit techniques are used.    Storm Worm - Comprehensive Analysis by Cyber-TA http://www.cyber-ta.org/pubs/StormWorm/ http://www.cyber-ta.org/pubs/StormWorm/report/ http://www.cyber-ta.org/pubs/StormWorm/links.html QUOTE: Since early 2007 a new form of malware has made its presence known on the Internet by its prolific growth rate, its ability to distribute large volumes of spam, and its ability to avoid detection and eradication.  Storm Worm (or W32.Peacomm, Nuwar, Tibs, Zhelatin), as it is known, is a highly prolific new generation of malware that has gained a significant foothold in unsuspecting Microsoft Windows computers across the Internet.  Storm, like all bots, distinguishes itself from other forms of malware by its ability to establish a control channel that allows its infected clients to operate as a coordinated collective, or botnet.  However, even among botnets Storm has further distinguished itself by being among the first to introduce a fully P2P control channel, to utilize fast-flux to hide its binary  distribution points, and to aggressively defend itself from those who would seek  to reverse engineer its logic. Despite all the hype and paranoia surrounding Storm, the inner workings of this botnet largely remain a mystery. Additional Links and Information http://en.wikipedia.org/wiki/Storm_Worm http://www.cyber-ta.org/pubs/StormWorm/links.html Posted Oct 18 2007, 04:43 PM by harry with 1 comment(s)

• Internet Explorer - Special URL strings may bypass security controls for EXE files

  Some recent discoveries have been posted where special strings after the URL address may bypass some of the security checking. As noted in the posts below, a special URL string may be crafted that can bypasses the warning prompt to the user and loads an EXE file automatically. Users should continue to be careful with URLs in email, websites, etc. and keep AV protection updated.  Internet Explorer - Special URL strings may bypass security controls for EXE files  http://aviv.raffon.net/2007/10/15/BackFromTheDead.aspx http://www.securityfocus.com/archive/1/482220/30/0/threaded http://blogs.pcmag.com/securitywatch/2007/10/new_news_with_old_vulnerabilit.php Original IE 6 Bug as documented by Secunia and CERT http://secunia.com/advisories/13203/ http://www.kb.cert.org/vuls/id/743974 QUOTE: Sometimes it is nice to see old vulnerabilities come back from the dead. This time I'm referring to a vulnerability in Internet Explorer that was discovered almost 3 years ago by cyber_flash. The vulnerability allows an attacker to bypass the security download warning dialog, and display a regular save file dialog, by manipulating IE into displaying executable file (a file with .exe extension) as a regular html file. While this vulnerability was partially patched by Microsoft in IE7, it was still remained unpactched in IE6 SP2. Posted Oct 16 2007, 06:13 PM by harry with 1 comment(s)

• New Storm Worm - Kitty Greeting Card

  This new HTML based attack is socially engineered well and may trick folks. It's always a best practice to avoid every URL present in an email message (even to opt out of spam), unless you are absolutely sure it's safe. New Storm Worm - Kitty Greeting Card http://www.websense.com/securitylabs/alerts/alert.php?AlertID=807 http://www.f-secure.com/weblog/archives/00001291.html http://www.avertlabs.com/research/blog/index.php/2007/10/12/no-laughing-matter-or-curiosity-killed-the-cat/ quote: Websense® Security Labs™ has received several reports of a new Web site that is being distributed in spam sent out by those running the Storm attacks. This site poses as a free Ecard Web site. No exploit is on the site itself. However, when users click any of the URLs, they are prompted to download and run a file called "SuperLaugh.exe." This file contains the Storm payload code. Posted Oct 12 2007, 03:53 PM by harry with no comments