There have been numerous stories recently covering unpatched Microsoft Word vulnerabilities. For reference, the CVE designations for these vulnerabilities are:

• CVE-2006-5994
• CVE-2006-6456
• CVE-2006-6561
• CVE-2007-0515
• CVE-2007-0621 (Microsoft has stated that this is not a new, but related to CVE-2006-6456)

Recently McAfee Avert Labs added detection for Exploit-MSExcel.h, an Excel document that was submitted from the field. This exploit is consistent with other targeted zero-day attacks and is believed to be contained.

Microsoft has confirmed that this exploit targets an unpatched vulnerability. According to Microsoft’s Security Advisories Archive (Microsoft Security Advisories are released in advance of patch releases, not to be confused with Microsoft Security Bulletins), the only Excel-related security advisory in the past 20 months, was patched in MS06-037. Numerous other Excel-related patches have been released during this time.

Update Feb 2, 2007 at 7 pm PST
Microsoft Security Advisory (932553) has been released and CVE-2007-0671 has been assigned. Microsoft describes this vulnerability as affecting the following products:

• Microsoft Office 2003 
• Microsoft Office XP 
• Microsoft Office 2000
• Microsoft Office 2004 for Mac

From the advisory:

Workarounds for Microsoft Office Remote Code Vulnerability:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

• Do not open or save Office files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Office file.

McAfee Avert Labs has confirmed Microsoft’s testing; not opening malicious Office files successfully mitigates this threat.

From time to time we see malware writers claim or ask for recognition of their malware. They usually leave messages in the virus body for the AV companies to see. They might ask for jobs, or offer help to detect something–you will never understand a malware writer’s mind.

Today I was analyzing YAB (yet-another-bot) and found the following message in the virus body:

“ATTN ANTIVIRUS EMPLOYEE: If you’re going to name my very nicely coded modular bot, at least give it the proper name of ‘[Name Removed]Bot.’ Lots of love, Author of [Name Removed]Bot.”

Of course, we will NOT put the author’s name on the bot, so it will remain just a regular bot.

This marks the first year that Avert Labs has a direct presense at RSA. We will be running some very cool demos at the McAfee booth and answering questions about our research happenings. Some of the demos include password-stealing trojans, a botnet in action, and the coolest drive-by rootkit installation ever!!! Make sure you stop by booth 1730 and say “Sup Dawgs!”

We also know how hard it can be to try and catch a cab around the Moscone Center, so on Tuesday and Wednesday we will be offering free rides from RSA to any nearby location in San Francisco. Just look for the black Mini Coopers displaying the McAfee logo!

Accepting an e-mail implies that the message transfer agent (MTA) has accepted responsibility¹ for performing onward delivery. This has legal implications in some countries nowadays. In most cases the legal requirements will include keeping an archived copy of every e-mail that passes through the network. Given that it is estimated that 65 percent to 90 percent² of all e-mail today is spam, companies can end up archiving terabytes of spam!

Unfortunately most MTAs today will queue and accept first, then dequeue and scan before onward delivery. This leads to many people opting for something called accept-and-drop in an effort to reduce spam. If the e-mail is found to be spam after accepting it, it is simply discarded. Under some legislation this could be considered illegal. Even worse is the case of a false-positive, resulting in a legitimate e-mail being discarded.

In order to effectively combat spam, it is necessary to stop the spam before it enters the network.

Read the rest of this entry »

Malware authors have been at the cutting edge of incorporating exploit code into their creations for zero day vulnerabilities. Fueled by financial incentives and readily available source code, the bad guys of today aggressively pursue continued development of malware code. Over the years, the window between vulnerability discoveries to its incorporation into a worm or exploit candidate has shrunk from months, to weeks, to zero day. This leaves administrators with very little time to schedule and deploy patches to all servers and workstations on their networks. And during this vulnerable time frame if the network is hit with a bot that uses a zero-day vulnerability, an organization could be faced with a potential worm outbreak or large scale attack.

The chart below shows the time frame between the vulnerability being reported and how long it took for malware authors to incorporate it into a worm candidate.

The paper “Defeating bots on the internal network” from McAfee Avert Labs published in the Feb 2007 issue of Virus Bulletin describes setting up an IRC honeypot on a network using minimal resources and requiring little maintenance to be used as an early warning system to proactively alert botnet activity. Also discussed is using the internal IRC honeypot to gain control over infected machines and removing the bot from infected machines.

Yes the rumors are true. We have confirmed sightings of the highly anticipated but never duplicated McAfee Mini-Cooper!

Remember to stop by our RSA booth, check out the demos and get free rides in the McAfee Mini-Cooper!!!!

There’s a video making the rounds that was made by Michael Wesch, an assistant Cultural Anthropology Professor at Kansas State University. It’s an inspiring look at the wonders of Web 2.0. In one particular scene, he discusses a few things that we will need to rethink in light of this revolution: copyright, authorship, identity, ethics, governance, privacy, commerce, etc.

He’s entirely right.  And the time to do that is now.

Throughout the history of computing, and perhaps of human history itself, we’ve had opposing forces–power vs. security, connectivity vs. trust. A new tool comes out, and it increases our ability to do something–say, automate tasks in a word processor or connect to people in a new way. People quickly learn how to use this tool for malicious purposes, and then rules get put in place to keep people from using it maliciously.

The Internet is a relatively new tool that has been widely used for malicious purposes, but it’s not something as simple as using a word processor. People access the Internet with countless common protocols and countless applications for each, with more appearing every day.

The main component of security is that trust must be earned. People establish credentials, or you get to know them, before you let them at your personal and financial data–things that could be used against you for malicious purposes. Most people don’t truly understand how to use a computer, much less know how to verify credentials. And then there are those who are so excited by the opportunity to connect that they don’t even bother to try. (How many of you MySpace users have people on your friends’ list that you’ve never met in person or even had an entire conversation with?)

What we have now is power far beyond most people’s abilities or desire to comprehend. It’s reaching a critical point where that ignorance can not only cost you your reputation, but also your money and your freedom. This message just isn’t reaching the people who need to hear it: the ones who are least apt to understand how to protect themselves, the people who are unlikely to be reading these technically oriented articles.

It’s when we can rethink the message enough to get it put on the back of cereal boxes that we’ll actually make a difference in this situation. When we can make this simple and compelling enough to explain it to a six-year-old, as Richard Feynman might have said, we can look forward to a decrease in the malicious use of the Internet.

On the heels of my Zero-Day Excels Over Word blog, McAfee Avert Labs is currently investigating a new Word exploit.  Preliminary analysis shows that this is a different issue than those referenced in my last blog:

This new exploit may be somehow related to MS06-027 and the DAT files proactively detect this new threat as a variant of Exploit-MS06-027 since June 2006.  This threat appears to exploit Word 2000.  Again, this is preliminary analysis.  We are working with Microsoft to confirm the history of this vulnerability and will update the blog when we have more information.

Like many of the recent Word exploits, this appears to have been used in a very limited and targeted attack.

Update Feb 9, 1:30pm
Microsoft has acknowledged this issue.  They state that it is limited to a Denial of Service attack on Word 2000 and that code execution is not possible.

Denial of Service is clearly not as critical as other recent issues.  Looks like this targeted attack was flawed.

Update Feb 14, 4:30pm

Further analysis shows this is likely not limited to denial of service.  See Exploit Targeting Unpatched Word Vulnerability Spotted (Follow-up)

Today, Xinhua News Agency reported the arrest of several suspects believed to have been behind the creation and propagation of the W32/Fujacks file infector worm a.k.a infected files with the Panda icon.

In the article, the official Chinese media cited an announcement from the Public Security Department of the Hubei Province naming 8 suspects including a 25-year old believed to be “WhBoy”, the infamous nickname that is embedded in most variants of W32/Fujacks.

Xinhua’s article in Chinese:

http://news.xinhuanet.com/legal/2007-02/12/content_5731540.htm

Throughout 2006 and continuing into 2007, McAfee Avert Labs has been closely monitoring the trends of cyber criminal activities in Asia. W32/Fujacks, amongst other profit-motivated multi-vector attacks, spiked in 2006 and looks to be a trend that will continue in 2007.

See the full-size graph here.

Between Q3 and Q4 2006, we saw a spike in the number of reported variants of Asian password-stealers and related trojans and file infectors. We blogged about this phenomenon with W32/HLLP.Philis variants in November 2006. What is really beyond these raw figures however is the increasing sophistication of Asian malware threats.

Both W32/HLLP.Philis and W32/Fujacks are more than the usual file infectors. These are multi-vector threats, usually including an aggressive downloader that updates itself frequently, can infect both executable and non-executable files over insecure media such as open network shares and USB drives, thus slipping through the cracks of loosely managed IT policies. Once successful, trusted media files can be further infected with malicious code or hyperlinks through PE file infection, web-based exploits over HTML or media files targeted against unpatched and vulnerable applications.

This approach of attacks on multiple system and user vulnerabilities at multiple layers dramatically increases the criminal opportunities for these malware authors. Indeed, we have seen a comparable rise in number of associated password-stealer variants reported - a considerable source of revenue for the worm seeders.

The lack of law enforcement in China in cyber crime has often been attributed for the rise in malware threats propagating from this region. It is encouraging to see the start of what appears to be the end of the first major case of cyber crime in China with these arrests. At the same time, enterprises need to consistently review and tighten up their current IT strategies to protect against the sophisticated attacks of today.

Š

Alright, maybe it is not exactly research related but I think it’s pretty cool. We previously announced that McAfee SiteAdvisor has been acknowledged by the U.S. Department of Commerce with its “Recognition of Excellence in Innovation” honor. The award was presented by the Honorable Robert Cresanti, U.S. Under Secretary of Commerce for Technology, for the technology’s innovative approach to making the Internet a safer place to search and surf for consumers.

A couple of pics below from the McAfee RSA booth:

That is McAfee’s CTO Christopher Bolin (in the middle) receiving the award from Under Secretary of Commerce Cresanti with McAfee’s Interim CEO Dale Fuller to the left.

Huliq has a nice writeup of it available here.