Today Microsoft patched 3 vulnerabilities. The vulnerability that is rated important, (MS06-052) “Vulnerability in Pragmatic General Multicast (PGM) Could Allow Remote Code Execution “, can be remotely exploited without user interaction. However only Windows XP systems that have the non default Microsoft Queuing Service (MSMQ) installed are vulnerable. Administrators who have installed MSMQ are highly recommended to install the MS06-052 patch as soon as processes allow. The other two vulnerabilities require user interaction for an attack to succeed.

The update of our graphs of last month is found below. The graphs show that September is usually a month with a few or no patches.

Whilst investigating how spammers are abusing free web site hosting providers, McAfee Avert Labs has discovered that very few spammers have the technology or resources to abuse the free web hosting providers in an automated or bulk manner. This leads to a vertical marketplace where a spammer (with the necessary skills) can sell this alternate form of web site hosting to other spammers. These “link providers” create and maintain thousands of free hosting accounts on behalf of the spammers, which are then used to redirect to spam web sites. The providers can update the redirects, so that when the final spam web pages are taken down by ISPs, web hosts, or domain resellers, the redirects can be updated to link to another live spam web site.

For this service, plus 50 accounts per day, one particular “link provider” charges $25 a week or $0.04 per link ($25 is roughly the cost of 3-4 real domain names). Some spammers like the free hosting providers - they know that the bigger hosts are unlikely to get blacklisted because they have many legitimate users.Grassing them up: After some discussions we started sending data to one of the larger free hosting providers about accounts seen in our vast network of spam traps. Within about an hour, they had regularly confirmed our data and taken down the accounts. This relationship has cut the abuse observed by us on that provider by over 90% in just over a week. Let’s hope those spammers are buying their new watches from pound$hop, rather than Bolex, this summer!

Everyday we see different things that the miscreants develop to make their job easier. Today I was checking the 288th variant of Opanki. The really interesting thing about this one is that the botnet owner seems concerned over not having an organized way to check the bots, like geographic distribution, for example. But how can he or she accomplish this in an easy way? Yes, Google Analytics! As many of you know, Google offers Google Analytics (www.google.com/analytics) as a free service that allows anyone to keep collect and view tracking information about website visitors, like Unique Visitor Tracking, Daily Visitor, Geo Location…

The following code was found on this bot variant. This is typical code that one would usually add in to a webpage to make Google Analytics work:

_uacct = "UA-XXXXXX-X";

_udn="xxxxxx.com";

urchinTracker();

The _uacct and _udn are parameters that identify the site owner for later statistics.

Yet another example of how the miscreants are organizing themselves…

Thousands of websites are compromised everyday. Many end up defaced or vandalized with greetz to the hacker and flames to the system administrator for failing to maintain server security. Defacing is the lowest form of internet graffiti and is usually done for fun or attention.

More sinister is when organized crime groups use compromised web servers to host malware. The compromised web pages are modified to host zero-day exploits which compromise users via drive by downloads or can be used as staging servers for trojan downloaders to pull and push further malware. Attack script toolkits like WebAttacker are being sold on the internet and are then custom configured to infect visiting computers without any user interaction. An attacker only needs to send spam via email addresses or instant messenger messages inviting recipients to visit a compromised website hosting the vulnerability and its malware exploit.

So how does one know where the attacks will come from? What can be done to track down the bad guys and combat them? One, of many ways, is to scan the internet for vulnerable systems and then monitor the sites that are found to be vulnerable, waiting for them to be hacked. Once the site is compromised, don’t attempt to get the compromised server shutdown as that would only make the bad guys move elsewhere. Rather keep an eye on the server and monitor it for any malicious uploads and downloads.

To quote a recent example, when code for the Exploit-WMF was released, a security company was able to come up with a listing of over a hundred sites that were compromised and hosting this exploit, much faster than big search engines indexed the Internet. Critics may argue that this is akin to watching the enemy plant landmines and waiting for hapless victims to step on it because one happens to be in the business of manufacturing prosthetic limbs. The more intel that can be gathered, the better chance the security community has of shutting down the bad guys. Let us all work with the law enforcement and intel communities.

The internet is a scary place as crime increasingly becomes an omnipresent menace. The window between vulnerability discovery to its incorporation into exploit code has shrunk from months or weeks to true zero-day as attackers and security experts are perpetually in a race against time. Browser vulnerabilities and exploits such as the Exploit-VMLFill are just a prelude to a series of pending exploits that pose the fastest growing threats to internet surfing. At the time of writing, a security update to address this vulnerability is being worked upon by Microsoft and their goal is to release the update on Tuesday, October 10, 2006, or sooner.

With ever increasing browser-based attacks, it is more important than ever that users not trust seemingly familiar or safe links particularly when received via Instant Messengers, Internet Relay Chat or Email. McAfee Avert Labs is committed to continued research against all known exploits of the Vector Markup Language vulnerability and will continue to update our coverage as new attack vectors and threats emerge. The problem will not go away…. but we can sure make life difficult for the bad guys.

There's been a few articles today about a method to hack ATMs which have not had their default administrative passwords changed. This shouldn't be entirely surprising for a number of reasons. We already know some ATMs are also vulnerable to viruses and voting machines can be hacked, etc. Good security practices are good security practices regardless of the specific operating system being used. The hacking incidents mentioned above, in particular, are caused by the same basic conditions that have led to the prevalence of things like bots and password-stealers. In the case of the voting machines and password-stealers, important data kept unencrypted is easy to steal or manipulate. In the case of ATMs and bots, using easy-to-guess passwords makes it very easy to add or subtract things from your machine.

People seem to get lulled into complacency because their particular machine or operating system isn't in common usage, regardless of whether the OS is on a laptop/desktop machine or on another sort of device. Security through obscurity will only get you so far, especially when your device has something of monetary value on (or in) it.

Today was launched the ZERT - ZeroDay Emergency Response Team . The goal of this group of security professionals is to study 0day exploits and develop unofficial patches when those exploits pose a security risk to the internet or users in general and a vendor-supplied patch has not been released yet.

This is an interesting approach, since we have recently seen so many critical security vulnerabilities and exploits without patches. Remeber the Windows WMF vulnerability?

On the other hand, despite of the fact that the ZERT group may perform extensive testing, it is ALWAYS advisable to perform your own tests in your own environment, if you plan to apply them, since it may break applications or conflict with a software/hardware vendor guarantee.

Anyway, it is nice to see efforts like this.

As one zero day gets patched, (Microsoft released an out-of-cycle patch for the recent VML Fill vulnerability) another is found.

Today we discovered an exploit affecting Microsoft PowerPoint (preliminary testing shows Office 2000, Office XP, and Office 2003 are affected). A single target of this exploit has been identified, so like other recent Microsoft Office 0-day discoveries, it appears that this one is also a targeted attack.

What makes this attack interesting, is the fact that it appears that Microsoft’s antivirus product added detection three days ago. The only public information on these threats is the boiler plate Malicious Software Encyclopedia entries (which show an incorrect discovery date of Sep 26, when virus definition files from Sep 23 detect):

• Exploit:Win32/Controlppt.W
• Exploit:Win32/Controlppt.X

There isn’t a public advisory from Microsoft; suggesting the Microsoft’s security team knew of this in-the-wild attack but did not make the information public.

For the record, I am not a fan of full disclosure (the concept, not explicitly the mailing list). I believe that more money has been lost, more data stolen, and more illegal activity around exploits has happened because of full disclosure. Historically, those with the skills to find vulnerabilities and create exploits are not the ones who write Blaster and Sasser, etc. Generally, the people who heavily abuse exploit code have “copy & pasted” the work of others. They customize the payload and release, and in these cases damages would have been significantly reduced if it were not for the availability of exploit details.

That said, if an attack is in the wild, acknowledgment of the attack is not something to conceal. Non-disclose the nitty-gritty details, but do inform.

- Update Sep 27, 2006 9:30 -
Correction, coverage went into the 4861 DAT release.

- Update Sep 26, 2006 17:00 -
McAfee antivirus coverage for these two exploits was released earlier today in DAT version 4860; detected as Exploit-PPT.d trojan.

Just last month we received our first live example of SMiShing. This month we've received evidence that the author of VBS/Eliles.A has taken umbrage at the AV industry's naming conventions. Specifically rule #1: We never name malware after the author's suggested or intended name. This is to discourage people from writng new malware in order to gain notoriety.

The Eliles author, let's call him Eli, is not taking this sitting down. One of our contacts in Asia sent us a sample of Eli's latest attempt at fame, VBS/Eliles.B. Eli left some parts of his worm intact.

Like his first try, VBS/Eliles.B also:

• Hides Drives,disables Registry editing and generally makes removing it a pain.
• Tries to disable your antivirus software
• Sends itself via email to any address it can find
• Attempts a SMiShing attack against customers of two mobile phone companies based in Spain

VBS/Eliles.B additionally:

• Runs a script that types Eli's complaints on our naming and the occasional insult in the current window
• Tries to disable your firewall software

VBS/Eliles.B really brings nothing new to the table. Aside from the SMiShing routines, Eli hasn't created anything new. All the other routines appear to have been created with various ready-made malware toolkits.

Considering that only the text and the download link have been changed in the SMiShing message, it is also doubtful that Eli had a hand in creating that routine. Eli is very likely a script kiddie, a relatively unskilled malware author. More of a mugger than a criminal mastermind.

VBS/Eliles.A & B are not large threats. The disturbing part is that while the SMiShing routines are targeted locally to a specific country in Europe, VBS/Eliles.B has made it to another country in Asia.

VBS scripts are distributed as plain text. Within 2 minutes, using a text editor, a malware author can cut and paste a few strings to generate a new SMiShing attack. Fortunately, Eli is not following the for-profit trend of his more skilled colleagues. Unfortunately, it looks like SMiShing source code is now available to more malware writers.

Today's minor threat can become a component of tomorrow's devastating attack.

To follow up on my Another Day, Another 0-day post; today (Sep 27, 2006), Microsoft has released a security advisory for this vulnerability:

Microsoft Security Advisory (925984)
Vulnerability in PowerPoint Could Allow Remote Code Execution

The following versions of PowerPoint are affected:

• PowerPoint 2000
• PowerPoint 2002
• PowerPoint 2003
• PowerPoint 2004 for Mac
• PowerPoint v. X for Mac

CVE-2006-4694 was assigned for this vulnerability on Sep 11, 2006.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4694

From some time now, I’ve been observing a change in the way that the PWS-Banker variants are being created. McAfee Avert Labs used to see PWS-Bankers which targeted multiple Banks, mostly South-American banks. The new common schema used by criminals consists of 4 different parts.

1) A PWS-Banker-downloader which downloads an information file from one site (Site A). This file has urls from which it will download the bankers.

2) The PWS-Banker-downloader will then follow the urls and try to download same target files from different sites (B and C) for redundancy purposes.

3) The file downloaded can be either the PWS-Banker itself or a new PWS-Banker-downloader which will then download a PWS-Banker-dropper from yet another site (D).

4) The last file can also be a PWS-Banker.dr which is a dropper with about 12 different banks, each one with specific PWS-Banker.

The sketch bellow (taken from my cellular camera) can help readers to better understand: